FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-10-2008, 11:31 PM
James Morris
 
Default Help with AVC messages

On Wed, 10 Sep 2008, Kristen R wrote:

> Last night I had a users website hacked. The hacker then tried to use httpd to
> access /etc files and directorys, as well as the root directory. SELinux
> saved my system.
>
> I need to make a complaint to the ISP who is providing for this offender. I
> have http access logs and error logs but they don't show very much. Other
> then access which was valid (well, not valid) and 2 entries in the error log.
> Is there a way I can correlate the AVC denials with the malious attacker? The
> AVC messages do not have time stamps or IP addresses attached to them.
>
> Thank you for your assistance, and for SELinux!

You should be able to find more detailed information in the audit log.

Try "ausearch -x httpd"

Any idea how they attacked the web server?


- James
--
James Morris
<jmorris@namei.org>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-11-2008, 08:20 PM
Kristen R
 
Default Help with AVC messages

On Sep 10, 2008, at 3:31 PM, James Morris wrote:


On Wed, 10 Sep 2008, Kristen R wrote:

Last night I had a users website hacked. The hacker then tried to
use httpd to
access /etc files and directorys, as well as the root directory.
SELinux

saved my system.

I need to make a complaint to the ISP who is providing for this
offender. I
have http access logs and error logs but they don't show very much.
Other
then access which was valid (well, not valid) and 2 entries in the
error log.
Is there a way I can correlate the AVC denials with the malious
attacker? The
AVC messages do not have time stamps or IP addresses attached to
them.


Thank you for your assistance, and for SELinux!


You should be able to find more detailed information in the audit log.

Try "ausearch -x httpd"

Any idea how they attacked the web server?


- James
--
James Morris
<jmorris@namei.org>



I do know how they got in to the website. The user is running a
Joomla! CMS website (ver 1.5). There is a vulnerability in sanitizing
the input on the screen where a user request their password. That
vulnerability was exploited which allowed the attacker to gain access
to the administration side of the software. Once there he installed
his own software, a java script version. I can see in the URL's sent
to the webserver where queries for /etc and / were sent. The AVC
messages stated that httpd was attempting to gain read access to the /
etc directory. Also the root directory.


This involved several hours of research using find and a rootkit
hunter, along with deleting MySQL databases and directories. I didn't
appreciate it at all. So, I have decided to block the entire Turkish
network this attacker came from since this network is notorious for
spam anyhow.


Kristen

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:03 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org