On Sat, Feb 18, 2012 at 06:58:27AM +0000, Tristan Santore wrote:
> On 18/02/12 06:48, Robin Lee Powell wrote:
> > I just discovered, because setroubleshootd was taking up all my CPU
> > time
, that there's a script kiddie console on my webserver, which
> > is not only running selinux, but is running it with unconfined
> > mostly off.
> > This amuses me. Not least because it turns out I copied it over
> > from my previous server 0.o, so it's been around for years.
> > I've eliminated the immediate problem, in the form of:
> > iptables -I INPUT -s 188.8.131.52/24 -j DROP
> > iptables -I INPUT -s 184.108.40.206/24 -j DROP
> > but I invite you all to poke at it:
> > http://www.lojban.org/story/bok.php
> > I'm just curious as to whether anyone can get it to do anything
> > *remotely* bad, given my configuration. I'd rather you didn't ruin
> > the machine (although I could certainly recover), but other than
> > that, have at.
> > -Robin
> first of all, I doubt anyone wants to even remotely connect to that
> "console", due to legal reasons.
You're probably right; hadn't thought of that. I don't get to have
any fun. :P
> Secondly, if anyone of us would, it would taint the evidence.
This script was installed on a completely different machine, at a
different hosting company; I copied it across myself. The system it
was installed on originally no longer exists at all; it has been
totally destroyed some months ago.
> Thirdly, I strongly suggest you replace the whole system, that is,
> completely reinstall! You just cannot know if anything else is
> tainted on there. Fourthly, you should report the machine as being
> exploited, not only to inform others, but also to make sure the
> person who abused your machine is not only investigated, but most
> importantly, they are not implicating you as a suspect, if your
> end was used to cause more attacks on third parties!
You seem te be dramatically over-estimating how much I care about
this particular server's health.
You are right about the jumping-off point, but I'm keeping an eye
on it; I'm not terribly worried. The pattern of recent use of the
script matches a simple botnet running through the various options.
selinux mailing list