I'm trying to do some forensics on a redhat 6.2 box that was somehow turned into a mail relay and may have been compromised. The mail logs show the mail coming from an apache virtual host address, and this machine was running zope, and the list of hotfix files I see is:

5220 May 25  2001 Hotfix_2000-10-02.tar.gz
2800 May 25  2001 Hotfix_2000-10-11.tgz
3002 May 25  2001 Hotfix_2000-12-08.tgz
2839 May 25  2001 Hotfix_2000-12-15a.tgz
2386 May 25  2001 Hotfix_2000-12-18.tgz
1899 May 25  2001 Hotfix_2001-02-23.tgz
3292 May 25  2001 Hotfix_2001-03-08.tgz
2492 May 25  2001 Hotfix_2001-05-01.tgz
30720 May 25  2001 hotfix.tar

So, would anybody have any ideas how to determine if this might have been compromised? Or is there a known mail relay exploit through zope somehow? I've checked system binaries and everything seems fine. None of the python files seem to have been changed since well before the relaying started.

Not sure what version of zope this is - it was built locally, not an rpm.

Thanks in advance,
Chris Pelton

Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to