[Zope-dev] possible compromise

robert robert at redcor.ch
Tue Oct 14 16:02:02 EDT 2003 

What I believe that happened in the case of the missuse of our servers is 
something like.
- On server A we have zope running behind Apache as a proxy.
 Somebody found this out in an unnown (to me) way.
- Our c-net was scanned for a MTA and server B was found (which only accepts 
mail from its own c-net
- now the abuser sends http request to A requesting to forward to port 25 on  
server B. Since these requests ar now from within B's own c-net, they are 
accepted.

Robert

Am Dienstag, 14. Oktober 2003 21:51 schrieb Chris Pelton:
> >>/ So, would anybody have any ideas how to determine if this might have
>
> />>/ been compromised? Or is there a known mail relay exploit through zope
> />>/ somehow? I've checked system binaries and everything seems fine. None
> of />>/ the python files seem to have been changed since well before the
> />>/ relaying started.
> /
>
> >It might help to know the version of zope which you may be able to find
> >it in the version.txt file distributed with zope releases.  That said,
> >there hasn't been a known relay exploit to the best of my knowledge,
> >but there are many ways to implement a web application that sends mail
> >in zope, and it wouldn't be at all surprising if the implementation of
> >your system was vulnerable.
> >
> >Do you know enough about Zope to discuss the implementation of your
> >web application?  We can throw out a bazillion ideas but thats a
> >painfully slow way to determine what really happened.
>
> Unfortunately I don't know much about zope. There are several version.txt
> files in the tree -
>
> ./lib/python/version.txt - yields Zope 2.2.5 (source release, python 1.5.2,
> linux2)
>
> but there is also a Zope-2.3.3-src directory, although I don't find any
> binaries in there that match what look to be the running binaries.
>
> The thing is, this machine had sendmail configure for no-relay, but there
> were several virtual hosts in apache, and the mail was coming from one of
> those hosts. I'm thinking they could have just taken advantage of some Zope
> functionality, not necessarily a break-in?
>
> Thanks again,
> Chris
>
>
>
>
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev at zope.org
> http://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope )

-- 
mit freundlichen Grüssen

Robert Rottermann
www.redCOR.ch

More information about the Zope-Dev mailing list