On Sat, Feb 18, 2012 at 06:58:27AM +0000, Tristan Santore wrote: > On 18/02/12 06:48, Robin Lee Powell wrote: > > I just discovered, because setroubleshootd was taking up all my CPU > > time :D, that there's a script kiddie console on my webserver, which > > is not only running selinux, but is running it with unconfined > > mostly off. > > > > This amuses me. Not least because it turns out I copied it over > > from my previous server 0.o, so it's been around for years. > > > > I've eliminated the immediate problem, in the form of: > > > > iptables -I INPUT -s 180.76.6.0/24 -j DROP > > iptables -I INPUT -s 180.76.5.0/24 -j DROP > > > > but I invite you all to poke at it: > > > > http://www.lojban.org/story/bok.php > > > > I'm just curious as to whether anyone can get it to do anything > > *remotely* bad, given my configuration. I'd rather you didn't ruin > > the machine (although I could certainly recover), but other than > > that, have at. > > > > -Robin > > > Robin, > > first of all, I doubt anyone wants to even remotely connect to that > "console", due to legal reasons. You're probably right; hadn't thought of that. I don't get to have any fun. :P :) > Secondly, if anyone of us would, it would taint the evidence. What evidence? This script was installed on a completely different machine, at a different hosting company; I copied it across myself. The system it was installed on originally no longer exists at all; it has been totally destroyed some months ago. > Thirdly, I strongly suggest you replace the whole system, that is, > completely reinstall! You just cannot know if anything else is > tainted on there. Fourthly, you should report the machine as being > exploited, not only to inform others, but also to make sure the > person who abused your machine is not only investigated, but most > importantly, they are not implicating you as a suspect, if your > end was used to cause more attacks on third parties! You seem te be dramatically over-estimating how much I care about this particular server's health. :D You are right about the jumping-off point, but I'm keeping an eye on it; I'm not terribly worried. The pattern of recent use of the script matches a simple botnet running through the various options. -Robin -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
