On 18/02/12 07:23, Robin Lee Powell wrote:
> On Sat, Feb 18, 2012 at 06:58:27AM +0000, Tristan Santore wrote:
>> On 18/02/12 06:48, Robin Lee Powell wrote:
>>> I just discovered, because setroubleshootd was taking up all my CPU
, that there's a script kiddie console on my webserver, which
>>> is not only running selinux, but is running it with unconfined
>>> mostly off.
>>> This amuses me. Not least because it turns out I copied it over
>>> from my previous server 0.o, so it's been around for years.
>>> I've eliminated the immediate problem, in the form of:
>>> iptables -I INPUT -s 22.214.171.124/24 -j DROP
>>> iptables -I INPUT -s 126.96.36.199/24 -j DROP
>>> but I invite you all to poke at it:
>>> I'm just curious as to whether anyone can get it to do anything
>>> *remotely* bad, given my configuration. I'd rather you didn't ruin
>>> the machine (although I could certainly recover), but other than
>>> that, have at.
>> first of all, I doubt anyone wants to even remotely connect to that
>> "console", due to legal reasons.
> You're probably right; hadn't thought of that. I don't get to have
> any fun. :P
>> Secondly, if anyone of us would, it would taint the evidence.
> What evidence?
> This script was installed on a completely different machine, at a
> different hosting company; I copied it across myself. The system it
> was installed on originally no longer exists at all; it has been
> totally destroyed some months ago.
>> Thirdly, I strongly suggest you replace the whole system, that is,
>> completely reinstall! You just cannot know if anything else is
>> tainted on there. Fourthly, you should report the machine as being
>> exploited, not only to inform others, but also to make sure the
>> person who abused your machine is not only investigated, but most
>> importantly, they are not implicating you as a suspect, if your
>> end was used to cause more attacks on third parties!
> You seem te be dramatically over-estimating how much I care about
> this particular server's health.
> You are right about the jumping-off point, but I'm keeping an eye
> on it; I'm not terribly worried. The pattern of recent use of the
> script matches a simple botnet running through the various options.
If somebody still connects to your exploit/service to conduct other
malicious activity, then there would be evidence, needless to say the
backdoor is also evidential in nature.
It is nice that you do not care about this too much, but I and others
care very much, if your machine is then used to launch attacks on
others. That simple iptables inbound block is hardly a deterrent, as you
said yourself, botnet is the key word there. Also, you would start
caring quite quickly, if the police knocks down your door, accusing you
of having broken into some silly US federal website and defaced it, and
you could not be bothered to reinstall the machine and making a backup
of the infected machine.
I doubt you are some forensics specialist, otherwise you would not have
come here in the first place.
You have been provided with good advice, that is all I or we can do as a
Tristan Santore BSc MBCS
Network and Infrastructure Operations
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
selinux mailing list