[Zope] Zope actively being cracked?

Chris McDonough chrism@digicool.com
Tue, 18 Jan 2000 22:03:20 -0500


Matthew,

We have heard of no Zope exploits...

If you don't determine how it was cracked in the meantime, can you tar
up the whole zope dir and send it over to us?

Which ftpd were you running?

Matthew Marlowe wrote:
> 
> Hello,
> 
> www.deploylinux.net, which uses zope as its backend, was hacked
> on 3:30pm Tuesday afternoon.  We know this because two new users
> were created in the /etc/shadow file and the following email was
> sent:
> 
> From: root <root>
> Message-Id: <200001182346.PAA16613@yoda.colo.jalan.com>
> To: dz@noxiin.com
> Subject: yoda.colo.jalan.com
> * shadow detected, no login backdoor
> * in.rshd (atif) installed!
> * bLACK pANTHER kit installed @ yoda.colo.jalan.com / 216.33.174.217
> 
> The server runs only Zope 2.1, a recent version of sendmail, ftp, and an
> amanda client
> over SSH.  Everything else was disabled.
> 
> While identifying the source of the breakin, we noticed that a new file had
> been created
> in one of the zope directories, and that the root history logs showed that
> this file had
> been executed.  Therefore, we are trying to find out if this is an active
> zope exploit.
> The server was protected by a firewall on lower level ports other than
> SMTP, ftp, and http.
> 
> We've removed the new users and are in the process of resecuring the box.
> 
> We are interested if anyone else has seen similiar events?  Hopefully this
> info will be
> beneficial to others in the community.
> 
> Thanks,
> M. Marlowe
> 
> --
> Matthew Marlowe             http://www.jalan.com/      (p) 909.799.3805
> mmarlowe@jalan.com   Jalan Network Services    (f) 909.799.3285
> "Quality Web Hosting, Network, Linux, and Solaris Consulting"
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )

-- 
Chris McDonough
Digital Creations, Inc.
Zope - http://www.zope.org