On Mon, Oct 13, 2003 at 05:36:51PM -0700, Chris Pelton wrote: > Hello, > > I'm trying to do some forensics on a redhat 6.2 box that was somehow > turned into a mail relay and may have been compromised. The mail logs > show the mail coming from an apache virtual host address, and this > machine was running zope, and the list of hotfix files I see is: > > 5220 May 25 2001 Hotfix_2000-10-02.tar.gz > 2800 May 25 2001 Hotfix_2000-10-11.tgz > 3002 May 25 2001 Hotfix_2000-12-08.tgz > 2839 May 25 2001 Hotfix_2000-12-15a.tgz > 2386 May 25 2001 Hotfix_2000-12-18.tgz > 1899 May 25 2001 Hotfix_2001-02-23.tgz > 3292 May 25 2001 Hotfix_2001-03-08.tgz > 2492 May 25 2001 Hotfix_2001-05-01.tgz
if you're worried that one of those is a trojan, you could re-download the hotfixes here and use diff or cmp: http://zope.org/Products/Zope/swpackage_view > So, would anybody have any ideas how to determine if this might have > been compromised? Or is there a known mail relay exploit through zope > somehow? never heard of one, but if you have a MailHost with wide open permissions somebody could pretty easily write a client script to abuse it. > Not sure what version of zope this is That would be listed in the output on startup, and you can also check by visiting http://zope_server:zope_port/Control_Panel/manage_main -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's NANO PHYSICIAN! (random hero from isometric.spaceninja.com) _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )