On Mon, 14 Jan 2008 02:31:28 +0000 Karanbir Singh <kbsingh at centos.org> wrote: > Mark Weaver wrote: > > while I understand why you'd like proof of concept for the exploit > > it's not something I'd post on a public mailing list. Not to > > mention the exploit was trashed when I reloaded the system. At the > > time it didn't seem expedient for to save that which killed my > > server for posterity. > > security at centos.org is where I'd expect you to post that to. > > Also, if you dont know what you are fixing, you dont have anything to > benchmark against 5.2.5 either. > > As has already been pointed out in the thread, its highly likely that > if the exploit was via a php app, its going to be an app specific > exploit. Reloading that is going to bring that right back. > > Selinux normally helps prevent situations like this. > > - KB ah, yes... SELinux... Well, that was actually on the system at the time of the "second" breach. Getting the apps existing on the web server to play nicely in that environment was quite a trick, but they managed to breach a second time anyway. If I can find any remaining information from that time I'll post as you've suggested. Mark