Never heard of such an abuse neither.
Only we are victim of one such.

So I would be interessted in any findings 

Robert

Am Dienstag, 14. Oktober 2003 03:46 schrieb Paul Winkler:
> On Mon, Oct 13, 2003 at 05:36:51PM -0700, Chris Pelton wrote:
> > Hello,
> >
> > I'm trying to do some forensics on a redhat 6.2 box that was somehow
> > turned into a mail relay and may have been compromised. The mail logs
> > show the mail coming from an apache virtual host address, and this
> > machine was running zope, and the list of hotfix files I see is:
> >
> > 5220 May 25  2001 Hotfix_2000-10-02.tar.gz
> > 2800 May 25  2001 Hotfix_2000-10-11.tgz
> > 3002 May 25  2001 Hotfix_2000-12-08.tgz
> > 2839 May 25  2001 Hotfix_2000-12-15a.tgz
> > 2386 May 25  2001 Hotfix_2000-12-18.tgz
> > 1899 May 25  2001 Hotfix_2001-02-23.tgz
> > 3292 May 25  2001 Hotfix_2001-03-08.tgz
> > 2492 May 25  2001 Hotfix_2001-05-01.tgz
>
> if you're worried that one of those is a trojan, you could re-download
> the hotfixes here and use diff or cmp:
> http://zope.org/Products/Zope/swpackage_view
>
> > So, would anybody have any ideas how to determine if this might have
> > been compromised? Or is there a known mail relay exploit through zope
> > somehow?
>
> never heard of one, but if you have a MailHost with wide open permissions
> somebody could pretty easily write a client script to abuse it.
>
> > Not sure what version of zope this is
>
> That would be listed in the output on startup, and you can also check by
> visiting http://zope_server:zope_port/Control_Panel/manage_main

-- 
mit freundlichen Grüssen

Robert Rottermann
www.redCOR.ch


_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to