[CentOS-mirror] Halted Web Server Compromise

Shawn M. Jones smj at littleprojects.org
Tue Sep 27 20:30:41 UTC 2005

I discovered this morning that SELinux had stopped a user from executing 
commands through my apache web server.  He was using a vulnerability in 
php-pear to get in, which I had patched a few months ago.  
Unfortunately, I had foolishly not restarted the apache service after 
the patch, so he started adding interesting scripts to my temp directories.

I'm going to perform a partial rebuild of the server.  By what I can 
tell, he was not able to leave his SELinux jail and execute any 
programs.  I've used rpm to validate the MD5 checksums of all package 
files and verified that the only ones that came back were ones that I 
had modified.

As he was restricted to executing everything as the apache user with a 
security context of root:system_r:httpd_sys_script_t, he was not able to 
start any of the back doors or IRC bots that he had placed on the 
system, but I am concerned about the content accessible to 
httpd_sys_script_t, so I'm going to remove all web server related 
material and restore it from backups.

What I did not back up was the mirror of CentOS, which I need to rebuild 
as a precautionary measure.

I'm currently removing alias to the CentOS mirror on the server.  Please 
remove me from the CentOS mirrors page until I get the system rebuilt.

Sorry for the inconvenience.


Shawn M. Jones
Admin of the LittleProjects.org site in VA, USA

More information about the CentOS-mirror mailing list