[CentOS-mirror] Halted Web Server Compromise
Shawn M. Jones
smj at littleprojects.org
Tue Sep 27 20:48:32 UTC 2005
Karanbir Singh wrote:
> Shawn M. Jones wrote:
>> I discovered this morning that SELinux had stopped a user from
>> executing commands through my apache web server. He was using a
>> vulnerability in php-pear to get in, which I had patched a few months
>> ago. Unfortunately, I had foolishly not restarted the apache service
>> after the patch, so he started adding interesting scripts to my temp
>> I'm going to perform a partial rebuild of the server. By what I can
>> tell, he was not able to leave his SELinux jail and execute any
>> programs. I've used rpm to validate the MD5 checksums of all package
>> files and verified that the only ones that came back were ones that I
>> had modified.
>> As he was restricted to executing everything as the apache user with
>> a security context of root:system_r:httpd_sys_script_t, he was not
>> able to start any of the back doors or IRC bots that he had placed on
>> the system, but I am concerned about the content accessible to
>> httpd_sys_script_t, so I'm going to remove all web server related
>> material and restore it from backups.
>> What I did not back up was the mirror of CentOS, which I need to
>> rebuild as a precautionary measure.
>> I'm currently removing alias to the CentOS mirror on the server.
>> Please remove me from the CentOS mirrors page until I get the system
>> Sorry for the inconvenience.
> Whats the URL for your mirror ?
> - K
The URLs are:
Hope this helps. They're down now.
More information about the CentOS-mirror