[Zope-dev] possible compromise
robert
robert at redcor.ch
Tue Oct 14 00:34:07 EDT 2003
Never heard of such an abuse neither.
Only we are victim of one such.
So I would be interessted in any findings
Robert
Am Dienstag, 14. Oktober 2003 03:46 schrieb Paul Winkler:
> On Mon, Oct 13, 2003 at 05:36:51PM -0700, Chris Pelton wrote:
> > Hello,
> >
> > I'm trying to do some forensics on a redhat 6.2 box that was somehow
> > turned into a mail relay and may have been compromised. The mail logs
> > show the mail coming from an apache virtual host address, and this
> > machine was running zope, and the list of hotfix files I see is:
> >
> > 5220 May 25 2001 Hotfix_2000-10-02.tar.gz
> > 2800 May 25 2001 Hotfix_2000-10-11.tgz
> > 3002 May 25 2001 Hotfix_2000-12-08.tgz
> > 2839 May 25 2001 Hotfix_2000-12-15a.tgz
> > 2386 May 25 2001 Hotfix_2000-12-18.tgz
> > 1899 May 25 2001 Hotfix_2001-02-23.tgz
> > 3292 May 25 2001 Hotfix_2001-03-08.tgz
> > 2492 May 25 2001 Hotfix_2001-05-01.tgz
>
> if you're worried that one of those is a trojan, you could re-download
> the hotfixes here and use diff or cmp:
> http://zope.org/Products/Zope/swpackage_view
>
> > So, would anybody have any ideas how to determine if this might have
> > been compromised? Or is there a known mail relay exploit through zope
> > somehow?
>
> never heard of one, but if you have a MailHost with wide open permissions
> somebody could pretty easily write a client script to abuse it.
>
> > Not sure what version of zope this is
>
> That would be listed in the output on startup, and you can also check by
> visiting http://zope_server:zope_port/Control_Panel/manage_main
--
mit freundlichen Grüssen
Robert Rottermann
www.redCOR.ch
More information about the Zope-Dev
mailing list