Help with AVC messages
On Sep 10, 2008, at 3:31 PM, James Morris wrote:
On Wed, 10 Sep 2008, Kristen R wrote:
Last night I had a users website hacked. The hacker then tried to
use httpd to
access /etc files and directorys, as well as the root directory.
saved my system.
I need to make a complaint to the ISP who is providing for this
have http access logs and error logs but they don't show very much.
then access which was valid (well, not valid) and 2 entries in the
Is there a way I can correlate the AVC denials with the malious
AVC messages do not have time stamps or IP addresses attached to
Thank you for your assistance, and for SELinux!
You should be able to find more detailed information in the audit log.
Try "ausearch -x httpd"
Any idea how they attacked the web server?
I do know how they got in to the website. The user is running a
Joomla! CMS website (ver 1.5). There is a vulnerability in sanitizing
the input on the screen where a user request their password. That
vulnerability was exploited which allowed the attacker to gain access
to the administration side of the software. Once there he installed
his own software, a java script version. I can see in the URL's sent
to the webserver where queries for /etc and / were sent. The AVC
messages stated that httpd was attempting to gain read access to the /
etc directory. Also the root directory.
This involved several hours of research using find and a rootkit
hunter, along with deleting MySQL databases and directories. I didn't
appreciate it at all. So, I have decided to block the entire Turkish
network this attacker came from since this network is notorious for
fedora-selinux-list mailing list