[Zope-dev] possible compromise
Chris Pelton
cjpelton at ucdavis.edu
Tue Oct 14 15:51:14 EDT 2003
>>/ So, would anybody have any ideas how to determine if this might have
/>>/ been compromised? Or is there a known mail relay exploit through zope
/>>/ somehow? I've checked system binaries and everything seems fine. None of
/>>/ the python files seem to have been changed since well before the
/>>/ relaying started.
/
>It might help to know the version of zope which you may be able to find
>it in the version.txt file distributed with zope releases. That said,
>there hasn't been a known relay exploit to the best of my knowledge,
>but there are many ways to implement a web application that sends mail
>in zope, and it wouldn't be at all surprising if the implementation of
>your system was vulnerable.
>Do you know enough about Zope to discuss the implementation of your
>web application? We can throw out a bazillion ideas but thats a
>painfully slow way to determine what really happened.
Unfortunately I don't know much about zope. There are several version.txt files in the tree -
./lib/python/version.txt - yields Zope 2.2.5 (source release, python 1.5.2, linux2)
but there is also a Zope-2.3.3-src directory, although I don't find any binaries in there that
match what look to be the running binaries.
The thing is, this machine had sendmail configure for no-relay, but there were several virtual hosts
in apache, and the mail was coming from one of those hosts. I'm thinking they could have just taken
advantage of some Zope functionality, not necessarily a break-in?
Thanks again,
Chris
More information about the Zope-Dev
mailing list