[Zope] Zope actively being cracked?

Christopher Petrilli petrilli@digicool.com
Tue, 18 Jan 2000 22:17:21 -0500 

On 1/18/00 9:55 PM, Matthew Marlowe at mmarlowe@jalan.com wrote:

> Hello,
> 
> www.deploylinux.net, which uses zope as its backend, was hacked
> on 3:30pm Tuesday afternoon.  We know this because two new users
> were created in the /etc/shadow file and the following email was
> sent:
> 
> From: root <root>
> Message-Id: <200001182346.PAA16613@yoda.colo.jalan.com>
> To: dz@noxiin.com
> Subject: yoda.colo.jalan.com
> * shadow detected, no login backdoor
> * in.rshd (atif) installed!
> * bLACK pANTHER kit installed @ yoda.colo.jalan.com / 216.33.174.217

I will have to do some research as to the "hack" that was installed, but
it's very clear to me that this was done by a "script kiddie", e.g., someone
who has no skill, simply runs scripts that try all the available attacks.
This figures more in my response below.

> The server runs only Zope 2.1, a recent version of sendmail, ftp, and an
> amanda client
> over SSH.  Everything else was disabled.

Sendmail, that illustrious security hole in the making :-)  Depending on
what FTP server you're running there are potentially dozens of holes.  Also
how you're restricting Amanda could matter...

Having said that, I'm not ruling out an attack via Zope, simply that we are
unaware of one that could be made by anyone that did not have Manager privs
already in Zope.

> While identifying the source of the breakin, we noticed that a new file had
> been created
> in one of the zope directories, and that the root history logs showed that
> this file had
> been executed.  Therefore, we are trying to find out if this is an active
> zope exploit.

This is suspicious, but not a damning thing.  As I said above, this is a
"script kiddie" attack, and I would be *very* surprised if anyone has
developed an attack against Zope that can be "scripted".  It is not,
however, impossible.

> The server was protected by a firewall on lower level ports other than
> SMTP, ftp, and http.

What does this mean exactly?

> We've removed the new users and are in the process of resecuring the box.

After a compromise, no box is rescuable, period.  You *must* re-install from
a proven source, otherwise you risk leaving back-doors.  No competent hacker
would have only one.

> We are interested if anyone else has seen similiar events?  Hopefully this
> info will be
> beneficial to others in the community.

What we need, and please respond in private! is:

    FULL system configuration
    Full Zope configuration

It's important to understand attack vectors before understanding what
happened.

Chris
-- 
| Christopher Petrilli        Python Powered        Digital Creations, Inc.
| petrilli@digicool.com                             http://www.digicool.com