Help with AVC messages

Kristen R kris_s at atmyhome.org
Thu Sep 11 20:20:55 UTC 2008


On Sep 10, 2008, at 3:31 PM, James Morris wrote:

> On Wed, 10 Sep 2008, Kristen R wrote:
>
>> Last night I had a users website hacked. The hacker then tried to  
>> use httpd to
>> access /etc files and directorys, as well as the root directory.  
>> SELinux
>> saved my system.
>>
>> I need to make a complaint to the ISP who is providing for this  
>> offender. I
>> have http access logs and error logs but they don't show very much.  
>> Other
>> then access which was valid (well, not valid) and 2 entries in the  
>> error log.
>> Is there a way I can correlate the AVC denials with the malious  
>> attacker? The
>> AVC messages do not have time stamps or IP addresses attached to  
>> them.
>>
>> Thank you for your assistance, and for SELinux!
>
> You should be able to find more detailed information in the audit log.
>
> Try "ausearch -x httpd"
>
> Any idea how they attacked the web server?
>
>
> - James
> -- 
> James Morris
> <jmorris at namei.org>


I do know how they got in to the website. The user is running a  
Joomla! CMS website (ver 1.5). There is a vulnerability in sanitizing  
the input on the screen where a user request their password. That  
vulnerability was exploited which allowed the attacker to gain access  
to the administration side of the software. Once there he installed  
his own software, a java script version. I can see in the URL's sent  
to the webserver where queries for /etc and / were sent. The AVC  
messages stated that httpd was attempting to gain read access to the / 
etc directory. Also the root directory.

This involved several hours of research using find and a rootkit  
hunter, along with deleting MySQL databases and directories. I didn't  
appreciate it at all. So, I have decided to block the entire Turkish  
network this attacker came from since this network is notorious for  
spam anyhow.

Kristen




More information about the fedora-selinux-list mailing list