[Zope-dev] possible compromise
Chris Pelton
cjpelton at ucdavis.edu
Mon Oct 13 20:36:51 EDT 2003
Hello,
I'm trying to do some forensics on a redhat 6.2 box that was somehow
turned into a mail relay and may have been compromised. The mail logs
show the mail coming from an apache virtual host address, and this
machine was running zope, and the list of hotfix files I see is:
5220 May 25 2001 Hotfix_2000-10-02.tar.gz
2800 May 25 2001 Hotfix_2000-10-11.tgz
3002 May 25 2001 Hotfix_2000-12-08.tgz
2839 May 25 2001 Hotfix_2000-12-15a.tgz
2386 May 25 2001 Hotfix_2000-12-18.tgz
1899 May 25 2001 Hotfix_2001-02-23.tgz
3292 May 25 2001 Hotfix_2001-03-08.tgz
2492 May 25 2001 Hotfix_2001-05-01.tgz
30720 May 25 2001 hotfix.tar
So, would anybody have any ideas how to determine if this might have
been compromised? Or is there a known mail relay exploit through zope
somehow? I've checked system binaries and everything seems fine. None of
the python files seem to have been changed since well before the
relaying started.
Not sure what version of zope this is - it was built locally, not an rpm.
Thanks in advance,
Chris Pelton
More information about the Zope-Dev
mailing list