Karanbir Singh wrote: > Shawn M. Jones wrote: > >> I discovered this morning that SELinux had stopped a user from >> executing commands through my apache web server. He was using a >> vulnerability in php-pear to get in, which I had patched a few months >> ago. Unfortunately, I had foolishly not restarted the apache service >> after the patch, so he started adding interesting scripts to my temp >> directories. >> >> I'm going to perform a partial rebuild of the server. By what I can >> tell, he was not able to leave his SELinux jail and execute any >> programs. I've used rpm to validate the MD5 checksums of all package >> files and verified that the only ones that came back were ones that I >> had modified. >> >> As he was restricted to executing everything as the apache user with >> a security context of root:system_r:httpd_sys_script_t, he was not >> able to start any of the back doors or IRC bots that he had placed on >> the system, but I am concerned about the content accessible to >> httpd_sys_script_t, so I'm going to remove all web server related >> material and restore it from backups. >> >> What I did not back up was the mirror of CentOS, which I need to >> rebuild as a precautionary measure. >> >> I'm currently removing alias to the CentOS mirror on the server. >> Please remove me from the CentOS mirrors page until I get the system >> rebuilt. >> >> Sorry for the inconvenience. > > > Whats the URL for your mirror ? > > - K > The URLs are: http://mirrors.littleprojects.org/centos.org/ -and- ftp://mirrors.littleprojects.org/pub/mirrors/centos.org/ Hope this helps. They're down now. --Shawn