[CentOS-mirror] Halted Web Server Compromise
Shawn M. Jones
smj at littleprojects.org
Tue Sep 27 20:30:41 UTC 2005
I discovered this morning that SELinux had stopped a user from executing
commands through my apache web server. He was using a vulnerability in
php-pear to get in, which I had patched a few months ago.
Unfortunately, I had foolishly not restarted the apache service after
the patch, so he started adding interesting scripts to my temp directories.
I'm going to perform a partial rebuild of the server. By what I can
tell, he was not able to leave his SELinux jail and execute any
programs. I've used rpm to validate the MD5 checksums of all package
files and verified that the only ones that came back were ones that I
As he was restricted to executing everything as the apache user with a
security context of root:system_r:httpd_sys_script_t, he was not able to
start any of the back doors or IRC bots that he had placed on the
system, but I am concerned about the content accessible to
httpd_sys_script_t, so I'm going to remove all web server related
material and restore it from backups.
What I did not back up was the mirror of CentOS, which I need to rebuild
as a precautionary measure.
I'm currently removing alias to the CentOS mirror on the server. Please
remove me from the CentOS mirrors page until I get the system rebuilt.
Sorry for the inconvenience.
Shawn M. Jones
Admin of the LittleProjects.org site in VA, USA
More information about the CentOS-mirror