[CentOS-mirror] Halted Web Server Compromise

Tue Sep 27 20:48:32 UTC 2005
Shawn M. Jones <smj at littleprojects.org>

Karanbir Singh wrote:

> Shawn M. Jones wrote:
>
>> I discovered this morning that SELinux had stopped a user from 
>> executing commands through my apache web server.  He was using a 
>> vulnerability in php-pear to get in, which I had patched a few months 
>> ago.  Unfortunately, I had foolishly not restarted the apache service 
>> after the patch, so he started adding interesting scripts to my temp 
>> directories.
>>
>> I'm going to perform a partial rebuild of the server.  By what I can 
>> tell, he was not able to leave his SELinux jail and execute any 
>> programs.  I've used rpm to validate the MD5 checksums of all package 
>> files and verified that the only ones that came back were ones that I 
>> had modified.
>>
>> As he was restricted to executing everything as the apache user with 
>> a security context of root:system_r:httpd_sys_script_t, he was not 
>> able to start any of the back doors or IRC bots that he had placed on 
>> the system, but I am concerned about the content accessible to 
>> httpd_sys_script_t, so I'm going to remove all web server related 
>> material and restore it from backups.
>>
>> What I did not back up was the mirror of CentOS, which I need to 
>> rebuild as a precautionary measure.
>>
>> I'm currently removing alias to the CentOS mirror on the server.  
>> Please remove me from the CentOS mirrors page until I get the system 
>> rebuilt.
>>
>> Sorry for the inconvenience.
>
>
> Whats the URL for your mirror ?
>
> - K
>
The URLs are:
http://mirrors.littleprojects.org/centos.org/
-and-
ftp://mirrors.littleprojects.org/pub/mirrors/centos.org/

Hope this helps.  They're down now.

--Shawn