FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-18-2012, 06:23 AM
Robin Lee Powell
 
Default Fedora in the wild! Or, try out this script kiddie shell.

On Sat, Feb 18, 2012 at 06:58:27AM +0000, Tristan Santore wrote:
> On 18/02/12 06:48, Robin Lee Powell wrote:
> > I just discovered, because setroubleshootd was taking up all my CPU
> > time , that there's a script kiddie console on my webserver, which
> > is not only running selinux, but is running it with unconfined
> > mostly off.
> >
> > This amuses me. Not least because it turns out I copied it over
> > from my previous server 0.o, so it's been around for years.
> >
> > I've eliminated the immediate problem, in the form of:
> >
> > iptables -I INPUT -s 180.76.6.0/24 -j DROP
> > iptables -I INPUT -s 180.76.5.0/24 -j DROP
> >
> > but I invite you all to poke at it:
> >
> > http://www.lojban.org/story/bok.php
> >
> > I'm just curious as to whether anyone can get it to do anything
> > *remotely* bad, given my configuration. I'd rather you didn't ruin
> > the machine (although I could certainly recover), but other than
> > that, have at.
> >
> > -Robin
> >
> Robin,
>
> first of all, I doubt anyone wants to even remotely connect to that
> "console", due to legal reasons.

You're probably right; hadn't thought of that. I don't get to have
any fun. :P

> Secondly, if anyone of us would, it would taint the evidence.

What evidence?

This script was installed on a completely different machine, at a
different hosting company; I copied it across myself. The system it
was installed on originally no longer exists at all; it has been
totally destroyed some months ago.

> Thirdly, I strongly suggest you replace the whole system, that is,
> completely reinstall! You just cannot know if anything else is
> tainted on there. Fourthly, you should report the machine as being
> exploited, not only to inform others, but also to make sure the
> person who abused your machine is not only investigated, but most
> importantly, they are not implicating you as a suspect, if your
> end was used to cause more attacks on third parties!

You seem te be dramatically over-estimating how much I care about
this particular server's health.

You are right about the jumping-off point, but I'm keeping an eye
on it; I'm not terribly worried. The pattern of recent use of the
script matches a simple botnet running through the various options.

-Robin
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 04:15 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org