I'm trying to do some forensics on a redhat 6.2 box that was somehow turned into a mail relay and may have been compromised. The mail logs show the mail coming from an apache virtual host address, and this machine was running zope, and the list of hotfix files I see is:
5220 May 25 2001 Hotfix_2000-10-02.tar.gz 2800 May 25 2001 Hotfix_2000-10-11.tgz 3002 May 25 2001 Hotfix_2000-12-08.tgz 2839 May 25 2001 Hotfix_2000-12-15a.tgz 2386 May 25 2001 Hotfix_2000-12-18.tgz 1899 May 25 2001 Hotfix_2001-02-23.tgz 3292 May 25 2001 Hotfix_2001-03-08.tgz 2492 May 25 2001 Hotfix_2001-05-01.tgz 30720 May 25 2001 hotfix.tar
So, would anybody have any ideas how to determine if this might have been compromised? Or is there a known mail relay exploit through zope somehow? I've checked system binaries and everything seems fine. None of the python files seem to have been changed since well before the relaying started.
Not sure what version of zope this is - it was built locally, not an rpm.
Thanks in advance, Chris Pelton
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )