On 01/02/2012 02:50 AM, Bennett Haselton wrote: > I'm not sure what you mean by "an exploit from a web board which is > apparently designed to pull outside traffic". Like Ljubomir said, it looks > like a script that is used from machine X to DOS attack machine Y, if > machine Y has the VBulletin bulletin board software installed on it. Is > that what you meant?:) > > But anyway, since the file was located at /home/file.pl (and since attacker > had console access), presumably it wasn't being invoked by the web server, > only from the command line. So how would it have made any difference if > httpd was running in its own context, if that script was not being invoked > by httpd? Nobody of us really knows how they got in. All you will get from this mailing list will be speculations, apart from useful instructions how to gather as much info as possible. So there are many possible ways they got in including brute force. As I understood you, you do not use neither fail2ban, denyhosts or/and logwatch, and you haven't checked those two servers very much in recent months. What Rilindo is saying is that SELinux might detect exploits while their trying to break processes from their routine (allowed by SELinux), and all of this (if it happened via exploits) might have been prevented by SELinux. You really do have lot of gaps in your security. If I were you, I would use all advice's given to you here and secure the rest of your servers (SELinux, fail2ban/denyhosts, logwatch, rsyslog, etc..) -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant