Help with AVC messages
Kristen R
kris_s at atmyhome.org
Thu Sep 11 20:20:55 UTC 2008
On Sep 10, 2008, at 3:31 PM, James Morris wrote:
> On Wed, 10 Sep 2008, Kristen R wrote:
>
>> Last night I had a users website hacked. The hacker then tried to
>> use httpd to
>> access /etc files and directorys, as well as the root directory.
>> SELinux
>> saved my system.
>>
>> I need to make a complaint to the ISP who is providing for this
>> offender. I
>> have http access logs and error logs but they don't show very much.
>> Other
>> then access which was valid (well, not valid) and 2 entries in the
>> error log.
>> Is there a way I can correlate the AVC denials with the malious
>> attacker? The
>> AVC messages do not have time stamps or IP addresses attached to
>> them.
>>
>> Thank you for your assistance, and for SELinux!
>
> You should be able to find more detailed information in the audit log.
>
> Try "ausearch -x httpd"
>
> Any idea how they attacked the web server?
>
>
> - James
> --
> James Morris
> <jmorris at namei.org>
I do know how they got in to the website. The user is running a
Joomla! CMS website (ver 1.5). There is a vulnerability in sanitizing
the input on the screen where a user request their password. That
vulnerability was exploited which allowed the attacker to gain access
to the administration side of the software. Once there he installed
his own software, a java script version. I can see in the URL's sent
to the webserver where queries for /etc and / were sent. The AVC
messages stated that httpd was attempting to gain read access to the /
etc directory. Also the root directory.
This involved several hours of research using find and a rootkit
hunter, along with deleting MySQL databases and directories. I didn't
appreciate it at all. So, I have decided to block the entire Turkish
network this attacker came from since this network is notorious for
spam anyhow.
Kristen
More information about the fedora-selinux-list
mailing list