I discovered this morning that SELinux had stopped a user from executing commands through my apache web server. He was using a vulnerability in php-pear to get in, which I had patched a few months ago. Unfortunately, I had foolishly not restarted the apache service after the patch, so he started adding interesting scripts to my temp directories. I'm going to perform a partial rebuild of the server. By what I can tell, he was not able to leave his SELinux jail and execute any programs. I've used rpm to validate the MD5 checksums of all package files and verified that the only ones that came back were ones that I had modified. As he was restricted to executing everything as the apache user with a security context of root:system_r:httpd_sys_script_t, he was not able to start any of the back doors or IRC bots that he had placed on the system, but I am concerned about the content accessible to httpd_sys_script_t, so I'm going to remove all web server related material and restore it from backups. What I did not back up was the mirror of CentOS, which I need to rebuild as a precautionary measure. I'm currently removing alias to the CentOS mirror on the server. Please remove me from the CentOS mirrors page until I get the system rebuilt. Sorry for the inconvenience. Sincerely, Shawn M. Jones Admin of the LittleProjects.org site in VA, USA