On 18/02/12 06:48, Robin Lee Powell wrote:
> I just discovered, because setroubleshootd was taking up all my CPU
, that there's a script kiddie console on my webserver, which
> is not only running selinux, but is running it with unconfined
> mostly off.
> This amuses me. Not least because it turns out I copied it over
> from my previous server 0.o, so it's been around for years.
> I've eliminated the immediate problem, in the form of:
> iptables -I INPUT -s 22.214.171.124/24 -j DROP
> iptables -I INPUT -s 126.96.36.199/24 -j DROP
> but I invite you all to poke at it:
> I'm just curious as to whether anyone can get it to do anything
> *remotely* bad, given my configuration. I'd rather you didn't ruin
> the machine (although I could certainly recover), but other than
> that, have at.
first of all, I doubt anyone wants to even remotely connect to that
"console", due to legal reasons. Secondly, if anyone of us would, it
would taint the evidence. Thirdly, I strongly suggest you replace the
whole system, that is, completely reinstall! You just cannot know if
anything else is tainted on there. Fourthly, you should report the
machine as being exploited, not only to inform others, but also to make
sure the person who abused your machine is not only investigated, but
most importantly, they are not implicating you as a suspect, if your end
was used to cause more attacks on third parties!
Further, selinux itself cannot guard against rubbish web scripts you
have running on the machine. It can only contain processes. If however
there was an exploitable kernel on there, you are royally in trouble.
So, hence the reinstall. Make sure you take a full system snapshot
first, preferably with memory dump. If this is a virtual machine that is
not a problem, if not, there are tools available.
Do NOT touch the backups. Make a copy of the backups and document
everything you did, in case forensics people from the police need or
want to look at it.
On a last note, this is not really the place to ask for help in
investigating a security incident. You should seek proper forensic
advice, preferably from somebody who is a CISA or equivalent.
Tristan Santore BSc MBCS
Network and Infrastructure Operations
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
selinux mailing list