[CentOS] an actual hacked machine, in a preserved state
Ljubomir Ljubojevic
office at plnet.rs
Mon Jan 2 02:04:16 UTC 2012
On 01/02/2012 02:50 AM, Bennett Haselton wrote:
> I'm not sure what you mean by "an exploit from a web board which is
> apparently designed to pull outside traffic". Like Ljubomir said, it looks
> like a script that is used from machine X to DOS attack machine Y, if
> machine Y has the VBulletin bulletin board software installed on it. Is
> that what you meant?:)
>
> But anyway, since the file was located at /home/file.pl (and since attacker
> had console access), presumably it wasn't being invoked by the web server,
> only from the command line. So how would it have made any difference if
> httpd was running in its own context, if that script was not being invoked
> by httpd?
Nobody of us really knows how they got in. All you will get from this
mailing list will be speculations, apart from useful instructions how to
gather as much info as possible. So there are many possible ways they
got in including brute force. As I understood you, you do not use
neither fail2ban, denyhosts or/and logwatch, and you haven't checked
those two servers very much in recent months.
What Rilindo is saying is that SELinux might detect exploits while their
trying to break processes from their routine (allowed by SELinux), and
all of this (if it happened via exploits) might have been prevented by
SELinux. You really do have lot of gaps in your security. If I were you,
I would use all advice's given to you here and secure the rest of your
servers (SELinux, fail2ban/denyhosts, logwatch, rsyslog, etc..)
--
Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe
Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
More information about the CentOS
mailing list