On Sep 10, 2008, at 3:31 PM, James Morris wrote:
On Wed, 10 Sep 2008, Kristen R wrote:
Last night I had a users website hacked. The hacker then tried to
use httpd to
access /etc files and directorys, as well as the root directory.
SELinux
saved my system.
I need to make a complaint to the ISP who is providing for this
offender. I
have http access logs and error logs but they don't show very much.
Other
then access which was valid (well, not valid) and 2 entries in the
error log.
Is there a way I can correlate the AVC denials with the malious
attacker? The
AVC messages do not have time stamps or IP addresses attached to
them.
Thank you for your assistance, and for SELinux!
You should be able to find more detailed information in the audit log.
Try "ausearch -x httpd"
Any idea how they attacked the web server?
- James
--
James Morris
<jmorris@xxxxxxxxx>
I do know how they got in to the website. The user is running a
Joomla! CMS website (ver 1.5). There is a vulnerability in sanitizing
the input on the screen where a user request their password. That
vulnerability was exploited which allowed the attacker to gain access
to the administration side of the software. Once there he installed
his own software, a java script version. I can see in the URL's sent
to the webserver where queries for /etc and / were sent. The AVC
messages stated that httpd was attempting to gain read access to the /
etc directory. Also the root directory.
This involved several hours of research using find and a rootkit
hunter, along with deleting MySQL databases and directories. I didn't
appreciate it at all. So, I have decided to block the entire Turkish
network this attacker came from since this network is notorious for
spam anyhow.
Kristen
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
