[Zope-dev] possible compromise

Chris Pelton cjpelton at ucdavis.edu
Tue Oct 14 16:08:46 EDT 2003


Yes, that's what I'm thinking happened here, but I need to verify that 
was the case.  Are there any logs in zope that could help track this 
down, or a known configuration that would allow it to happen? Also, for 
future reference, can we disable this? Any ideas how someone might be 
able to tell Zope is running?

-Chris


robert wrote:

>What I believe that happened in the case of the missuse of our servers is 
>something like.
>- On server A we have zope running behind Apache as a proxy.
> Somebody found this out in an unnown (to me) way.
>- Our c-net was scanned for a MTA and server B was found (which only accepts 
>mail from its own c-net
>- now the abuser sends http request to A requesting to forward to port 25 on  
>server B. Since these requests ar now from within B's own c-net, they are 
>accepted.
>
>Robert
>
>Am Dienstag, 14. Oktober 2003 21:51 schrieb Chris Pelton:
>  
>
>>>>/ So, would anybody have any ideas how to determine if this might have
>>>>        
>>>>
>>/>>/ been compromised? Or is there a known mail relay exploit through zope
>>/>>/ somehow? I've checked system binaries and everything seems fine. None
>>of />>/ the python files seem to have been changed since well before the
>>/>>/ relaying started.
>>/
>>
>>    
>>
>>>It might help to know the version of zope which you may be able to find
>>>it in the version.txt file distributed with zope releases.  That said,
>>>there hasn't been a known relay exploit to the best of my knowledge,
>>>but there are many ways to implement a web application that sends mail
>>>in zope, and it wouldn't be at all surprising if the implementation of
>>>your system was vulnerable.
>>>
>>>Do you know enough about Zope to discuss the implementation of your
>>>web application?  We can throw out a bazillion ideas but thats a
>>>painfully slow way to determine what really happened.
>>>      
>>>
>>Unfortunately I don't know much about zope. There are several version.txt
>>files in the tree -
>>
>>./lib/python/version.txt - yields Zope 2.2.5 (source release, python 1.5.2,
>>linux2)
>>
>>but there is also a Zope-2.3.3-src directory, although I don't find any
>>binaries in there that match what look to be the running binaries.
>>
>>The thing is, this machine had sendmail configure for no-relay, but there
>>were several virtual hosts in apache, and the mail was coming from one of
>>those hosts. I'm thinking they could have just taken advantage of some Zope
>>functionality, not necessarily a break-in?
>>
>>Thanks again,
>>Chris
>>
>>
>>
>>
>>_______________________________________________
>>Zope-Dev maillist  -  Zope-Dev at zope.org
>>http://mail.zope.org/mailman/listinfo/zope-dev
>>**  No cross posts or HTML encoding!  **
>>(Related lists -
>> http://mail.zope.org/mailman/listinfo/zope-announce
>> http://mail.zope.org/mailman/listinfo/zope )
>>    
>>
>
>  
>





More information about the Zope-Dev mailing list