On 18/02/12 06:48, Robin Lee Powell wrote: > I just discovered, because setroubleshootd was taking up all my CPU > time :D, that there's a script kiddie console on my webserver, which > is not only running selinux, but is running it with unconfined > mostly off. > > This amuses me. Not least because it turns out I copied it over > from my previous server 0.o, so it's been around for years. > > I've eliminated the immediate problem, in the form of: > > iptables -I INPUT -s 180.76.6.0/24 -j DROP > iptables -I INPUT -s 180.76.5.0/24 -j DROP > > but I invite you all to poke at it: > > http://www.lojban.org/story/bok.php > > I'm just curious as to whether anyone can get it to do anything > *remotely* bad, given my configuration. I'd rather you didn't ruin > the machine (although I could certainly recover), but other than > that, have at. > > -Robin > Robin, first of all, I doubt anyone wants to even remotely connect to that "console", due to legal reasons. Secondly, if anyone of us would, it would taint the evidence. Thirdly, I strongly suggest you replace the whole system, that is, completely reinstall! You just cannot know if anything else is tainted on there. Fourthly, you should report the machine as being exploited, not only to inform others, but also to make sure the person who abused your machine is not only investigated, but most importantly, they are not implicating you as a suspect, if your end was used to cause more attacks on third parties! Further, selinux itself cannot guard against rubbish web scripts you have running on the machine. It can only contain processes. If however there was an exploitable kernel on there, you are royally in trouble. So, hence the reinstall. Make sure you take a full system snapshot first, preferably with memory dump. If this is a virtual machine that is not a problem, if not, there are tools available. Do NOT touch the backups. Make a copy of the backups and document everything you did, in case forensics people from the police need or want to look at it. On a last note, this is not really the place to ask for help in investigating a security incident. You should seek proper forensic advice, preferably from somebody who is a CISA or equivalent. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
