[CentOS-mirror] Halted Web Server Compromise

Tue Sep 27 20:41:52 UTC 2005
Karanbir Singh <mail-lists at karan.org>

Shawn M. Jones wrote:
> I discovered this morning that SELinux had stopped a user from executing 
> commands through my apache web server.  He was using a vulnerability in 
> php-pear to get in, which I had patched a few months ago.  
> Unfortunately, I had foolishly not restarted the apache service after 
> the patch, so he started adding interesting scripts to my temp directories.
> 
> I'm going to perform a partial rebuild of the server.  By what I can 
> tell, he was not able to leave his SELinux jail and execute any 
> programs.  I've used rpm to validate the MD5 checksums of all package 
> files and verified that the only ones that came back were ones that I 
> had modified.
> 
> As he was restricted to executing everything as the apache user with a 
> security context of root:system_r:httpd_sys_script_t, he was not able to 
> start any of the back doors or IRC bots that he had placed on the 
> system, but I am concerned about the content accessible to 
> httpd_sys_script_t, so I'm going to remove all web server related 
> material and restore it from backups.
> 
> What I did not back up was the mirror of CentOS, which I need to rebuild 
> as a precautionary measure.
> 
> I'm currently removing alias to the CentOS mirror on the server.  Please 
> remove me from the CentOS mirrors page until I get the system rebuilt.
> 
> Sorry for the inconvenience.

Whats the URL for your mirror ?

- K




-- 
Karanbir Singh : http://www.karan.org/
GnuPG Public Key : http://www.karan.org/publickey.asc