[Zope] Zope actively being cracked?
Matthew Marlowe
mmarlowe@jalan.com
Tue, 18 Jan 2000 18:55:04 -0800
Hello,
www.deploylinux.net, which uses zope as its backend, was hacked
on 3:30pm Tuesday afternoon. We know this because two new users
were created in the /etc/shadow file and the following email was
sent:
From: root <root>
Message-Id: <200001182346.PAA16613@yoda.colo.jalan.com>
To: dz@noxiin.com
Subject: yoda.colo.jalan.com
* shadow detected, no login backdoor
* in.rshd (atif) installed!
* bLACK pANTHER kit installed @ yoda.colo.jalan.com / 216.33.174.217
The server runs only Zope 2.1, a recent version of sendmail, ftp, and an
amanda client
over SSH. Everything else was disabled.
While identifying the source of the breakin, we noticed that a new file had
been created
in one of the zope directories, and that the root history logs showed that
this file had
been executed. Therefore, we are trying to find out if this is an active
zope exploit.
The server was protected by a firewall on lower level ports other than
SMTP, ftp, and http.
We've removed the new users and are in the process of resecuring the box.
We are interested if anyone else has seen similiar events? Hopefully this
info will be
beneficial to others in the community.
Thanks,
M. Marlowe
--
Matthew Marlowe http://www.jalan.com/ (p) 909.799.3805
mmarlowe@jalan.com Jalan Network Services (f) 909.799.3285
"Quality Web Hosting, Network, Linux, and Solaris Consulting"