FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-18-2012, 05:48 AM
Robin Lee Powell
 
Default Fedora in the wild! Or, try out this script kiddie shell.

I just discovered, because setroubleshootd was taking up all my CPU
time , that there's a script kiddie console on my webserver, which
is not only running selinux, but is running it with unconfined
mostly off.

This amuses me. Not least because it turns out I copied it over
from my previous server 0.o, so it's been around for years.

I've eliminated the immediate problem, in the form of:

iptables -I INPUT -s 180.76.6.0/24 -j DROP
iptables -I INPUT -s 180.76.5.0/24 -j DROP

but I invite you all to poke at it:

http://www.lojban.org/story/bok.php

I'm just curious as to whether anyone can get it to do anything
*remotely* bad, given my configuration. I'd rather you didn't ruin
the machine (although I could certainly recover), but other than
that, have at.

-Robin

--
http://singinst.org/ : Our last, best hope for a fantastic future.
.i ko na cpedu lo nu stidi vau loi jbopre .i danfu lu na go'i li'u .e
lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e
lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-18-2012, 05:58 AM
Tristan Santore
 
Default Fedora in the wild! Or, try out this script kiddie shell.

On 18/02/12 06:48, Robin Lee Powell wrote:
> I just discovered, because setroubleshootd was taking up all my CPU
> time , that there's a script kiddie console on my webserver, which
> is not only running selinux, but is running it with unconfined
> mostly off.
>
> This amuses me. Not least because it turns out I copied it over
> from my previous server 0.o, so it's been around for years.
>
> I've eliminated the immediate problem, in the form of:
>
> iptables -I INPUT -s 180.76.6.0/24 -j DROP
> iptables -I INPUT -s 180.76.5.0/24 -j DROP
>
> but I invite you all to poke at it:
>
> http://www.lojban.org/story/bok.php
>
> I'm just curious as to whether anyone can get it to do anything
> *remotely* bad, given my configuration. I'd rather you didn't ruin
> the machine (although I could certainly recover), but other than
> that, have at.
>
> -Robin
>
Robin,

first of all, I doubt anyone wants to even remotely connect to that
"console", due to legal reasons. Secondly, if anyone of us would, it
would taint the evidence. Thirdly, I strongly suggest you replace the
whole system, that is, completely reinstall! You just cannot know if
anything else is tainted on there. Fourthly, you should report the
machine as being exploited, not only to inform others, but also to make
sure the person who abused your machine is not only investigated, but
most importantly, they are not implicating you as a suspect, if your end
was used to cause more attacks on third parties!

Further, selinux itself cannot guard against rubbish web scripts you
have running on the machine. It can only contain processes. If however
there was an exploitable kernel on there, you are royally in trouble.

So, hence the reinstall. Make sure you take a full system snapshot
first, preferably with memory dump. If this is a virtual machine that is
not a problem, if not, there are tools available.

Do NOT touch the backups. Make a copy of the backups and document
everything you did, in case forensics people from the police need or
want to look at it.

On a last note, this is not really the place to ask for help in
investigating a security incident. You should seek proper forensic
advice, preferably from somebody who is a CISA or equivalent.

Regards,

Tristan


--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore@fedoraproject.org
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 12:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org