[Zope-dev] possible compromise

Paul Winkler pw_lists at slinkp.com
Mon Oct 13 21:46:43 EDT 2003


On Mon, Oct 13, 2003 at 05:36:51PM -0700, Chris Pelton wrote:
> Hello,
> 
> I'm trying to do some forensics on a redhat 6.2 box that was somehow 
> turned into a mail relay and may have been compromised. The mail logs 
> show the mail coming from an apache virtual host address, and this 
> machine was running zope, and the list of hotfix files I see is:
> 
> 5220 May 25  2001 Hotfix_2000-10-02.tar.gz
> 2800 May 25  2001 Hotfix_2000-10-11.tgz
> 3002 May 25  2001 Hotfix_2000-12-08.tgz
> 2839 May 25  2001 Hotfix_2000-12-15a.tgz
> 2386 May 25  2001 Hotfix_2000-12-18.tgz
> 1899 May 25  2001 Hotfix_2001-02-23.tgz
> 3292 May 25  2001 Hotfix_2001-03-08.tgz
> 2492 May 25  2001 Hotfix_2001-05-01.tgz

if you're worried that one of those is a trojan, you could re-download
the hotfixes here and use diff or cmp:
http://zope.org/Products/Zope/swpackage_view

> So, would anybody have any ideas how to determine if this might have 
> been compromised? Or is there a known mail relay exploit through zope 
> somehow?

never heard of one, but if you have a MailHost with wide open permissions
somebody could pretty easily write a client script to abuse it.

> Not sure what version of zope this is

That would be listed in the output on startup, and you can also check by
visiting http://zope_server:zope_port/Control_Panel/manage_main

-- 

Paul Winkler
http://www.slinkp.com
Look! Up in the sky! It's NANO PHYSICIAN!
(random hero from isometric.spaceninja.com)



More information about the Zope-Dev mailing list