Shawn M. Jones wrote: > I discovered this morning that SELinux had stopped a user from executing > commands through my apache web server. He was using a vulnerability in > php-pear to get in, which I had patched a few months ago. > Unfortunately, I had foolishly not restarted the apache service after > the patch, so he started adding interesting scripts to my temp directories. > > I'm going to perform a partial rebuild of the server. By what I can > tell, he was not able to leave his SELinux jail and execute any > programs. I've used rpm to validate the MD5 checksums of all package > files and verified that the only ones that came back were ones that I > had modified. > > As he was restricted to executing everything as the apache user with a > security context of root:system_r:httpd_sys_script_t, he was not able to > start any of the back doors or IRC bots that he had placed on the > system, but I am concerned about the content accessible to > httpd_sys_script_t, so I'm going to remove all web server related > material and restore it from backups. > > What I did not back up was the mirror of CentOS, which I need to rebuild > as a precautionary measure. > > I'm currently removing alias to the CentOS mirror on the server. Please > remove me from the CentOS mirrors page until I get the system rebuilt. > > Sorry for the inconvenience. Whats the URL for your mirror ? - K -- Karanbir Singh : http://www.karan.org/ GnuPG Public Key : http://www.karan.org/publickey.asc