[CentOS] an actual hacked machine, in a preserved state

Mon Jan 2 02:04:16 UTC 2012
Ljubomir Ljubojevic <office at plnet.rs>

On 01/02/2012 02:50 AM, Bennett Haselton wrote:
> I'm not sure what you mean by "an exploit from a web board which is
> apparently designed to pull outside traffic".  Like Ljubomir said, it looks
> like a script that is used from machine X to DOS attack machine Y, if
> machine Y has the VBulletin bulletin board software installed on it.  Is
> that what you meant?:)
>
> But anyway, since the file was located at /home/file.pl (and since attacker
> had console access), presumably it wasn't being invoked by the web server,
> only from the command line.  So how would it have made any difference if
> httpd was running in its own context, if that script was not being invoked
> by httpd?

Nobody of us really knows how they got in. All you will get from this 
mailing list will be speculations, apart from useful instructions how to 
gather as much info as possible. So there are many possible ways they 
got in including brute force. As I understood you, you do not use 
neither fail2ban, denyhosts or/and logwatch, and you haven't checked 
those two servers very much in recent months.

What Rilindo is saying is that SELinux might detect exploits while their 
trying to break processes from their routine (allowed by SELinux), and 
all of this (if it happened via exploits) might have been prevented by 
SELinux. You really do have lot of gaps in your security. If I were you, 
I would use all advice's given to you here and secure the rest of your 
servers (SELinux, fail2ban/denyhosts, logwatch, rsyslog, etc..)

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant