I discovered this morning that SELinux had stopped a user from executing commands through my apache web server. He was using a vulnerability in php-pear to get in, which I had patched a few months ago. Unfortunately, I had foolishly not restarted the apache service after the patch, so he started adding interesting scripts to my temp directories.
I'm going to perform a partial rebuild of the server. By what I can tell, he was not able to leave his SELinux jail and execute any programs. I've used rpm to validate the MD5 checksums of all package files and verified that the only ones that came back were ones that I had modified.
As he was restricted to executing everything as the apache user with a security context of root:system_r:httpd_sys_script_t, he was not able to start any of the back doors or IRC bots that he had placed on the system, but I am concerned about the content accessible to httpd_sys_script_t, so I'm going to remove all web server related material and restore it from backups.
What I did not back up was the mirror of CentOS, which I need to rebuild as a precautionary measure.
I'm currently removing alias to the CentOS mirror on the server. Please remove me from the CentOS mirrors page until I get the system rebuilt.
Sorry for the inconvenience.
Sincerely,
Shawn M. Jones Admin of the LittleProjects.org site in VA, USA
Shawn M. Jones wrote:
I discovered this morning that SELinux had stopped a user from executing commands through my apache web server. He was using a vulnerability in php-pear to get in, which I had patched a few months ago. Unfortunately, I had foolishly not restarted the apache service after the patch, so he started adding interesting scripts to my temp directories.
I'm going to perform a partial rebuild of the server. By what I can tell, he was not able to leave his SELinux jail and execute any programs. I've used rpm to validate the MD5 checksums of all package files and verified that the only ones that came back were ones that I had modified.
As he was restricted to executing everything as the apache user with a security context of root:system_r:httpd_sys_script_t, he was not able to start any of the back doors or IRC bots that he had placed on the system, but I am concerned about the content accessible to httpd_sys_script_t, so I'm going to remove all web server related material and restore it from backups.
What I did not back up was the mirror of CentOS, which I need to rebuild as a precautionary measure.
I'm currently removing alias to the CentOS mirror on the server. Please remove me from the CentOS mirrors page until I get the system rebuilt.
Sorry for the inconvenience.
Whats the URL for your mirror ?
- K
Karanbir Singh wrote:
Shawn M. Jones wrote:
I discovered this morning that SELinux had stopped a user from executing commands through my apache web server. He was using a vulnerability in php-pear to get in, which I had patched a few months ago. Unfortunately, I had foolishly not restarted the apache service after the patch, so he started adding interesting scripts to my temp directories.
I'm going to perform a partial rebuild of the server. By what I can tell, he was not able to leave his SELinux jail and execute any programs. I've used rpm to validate the MD5 checksums of all package files and verified that the only ones that came back were ones that I had modified.
As he was restricted to executing everything as the apache user with a security context of root:system_r:httpd_sys_script_t, he was not able to start any of the back doors or IRC bots that he had placed on the system, but I am concerned about the content accessible to httpd_sys_script_t, so I'm going to remove all web server related material and restore it from backups.
What I did not back up was the mirror of CentOS, which I need to rebuild as a precautionary measure.
I'm currently removing alias to the CentOS mirror on the server. Please remove me from the CentOS mirrors page until I get the system rebuilt.
Sorry for the inconvenience.
Whats the URL for your mirror ?
- K
The URLs are: http://mirrors.littleprojects.org/centos.org/ -and- ftp://mirrors.littleprojects.org/pub/mirrors/centos.org/
Hope this helps. They're down now.
--Shawn
Shawn M. Jones wrote:
Whats the URL for your mirror ?
- K
The URLs are: http://mirrors.littleprojects.org/centos.org/ -and- ftp://mirrors.littleprojects.org/pub/mirrors/centos.org/
Taken off the mirror list - the mirror status has been switched off. When the mirror is back up and running, please request a re-activation rather than re-addition.
- K
Karanbir Singh wrote:
The URLs are: http://mirrors.littleprojects.org/centos.org/ -and- ftp://mirrors.littleprojects.org/pub/mirrors/centos.org/
Taken off the mirror list - the mirror status has been switched off. When the mirror is back up and running, please request a re-activation rather than re-addition.
LittleProjects.org is back up serving FTP and HTTP traffic from Virginia, USA at a speed of 10Mbps. I request re-activation on the CentOS Mirror list.
--Shawn
-
Karanbir Singh -
Shawn M. Jones