I just discovered, because setroubleshootd was taking up all my CPU time :D, that there's a script kiddie console on my webserver, which is not only running selinux, but is running it with unconfined mostly off.
This amuses me. Not least because it turns out I copied it over from my previous server 0.o, so it's been around for years.
I've eliminated the immediate problem, in the form of:
iptables -I INPUT -s 180.76.6.0/24 -j DROP iptables -I INPUT -s 180.76.5.0/24 -j DROP
but I invite you all to poke at it:
http://www.lojban.org/story/bok.php
I'm just curious as to whether anyone can get it to do anything *remotely* bad, given my configuration. I'd rather you didn't ruin the machine (although I could certainly recover), but other than that, have at.
-Robin
Erm, I meant "SELinux in the wild!" in the subject. :P
-Robin
On Fri, Feb 17, 2012 at 10:48:15PM -0800, Robin Lee Powell wrote:
I just discovered, because setroubleshootd was taking up all my CPU time :D, that there's a script kiddie console on my webserver, which is not only running selinux, but is running it with unconfined mostly off.
This amuses me. Not least because it turns out I copied it over from my previous server 0.o, so it's been around for years.
I've eliminated the immediate problem, in the form of:
iptables -I INPUT -s 180.76.6.0/24 -j DROP iptables -I INPUT -s 180.76.5.0/24 -j DROP
but I invite you all to poke at it:
http://www.lojban.org/story/bok.php
I'm just curious as to whether anyone can get it to do anything *remotely* bad, given my configuration. I'd rather you didn't ruin the machine (although I could certainly recover), but other than that, have at.
-Robin
-- http://singinst.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i danfu lu na go'i li'u .e lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 18/02/12 06:48, Robin Lee Powell wrote:
I just discovered, because setroubleshootd was taking up all my CPU time :D, that there's a script kiddie console on my webserver, which is not only running selinux, but is running it with unconfined mostly off.
This amuses me. Not least because it turns out I copied it over from my previous server 0.o, so it's been around for years.
I've eliminated the immediate problem, in the form of:
iptables -I INPUT -s 180.76.6.0/24 -j DROP iptables -I INPUT -s 180.76.5.0/24 -j DROP
but I invite you all to poke at it:
http://www.lojban.org/story/bok.php
I'm just curious as to whether anyone can get it to do anything *remotely* bad, given my configuration. I'd rather you didn't ruin the machine (although I could certainly recover), but other than that, have at.
-Robin
Robin,
first of all, I doubt anyone wants to even remotely connect to that "console", due to legal reasons. Secondly, if anyone of us would, it would taint the evidence. Thirdly, I strongly suggest you replace the whole system, that is, completely reinstall! You just cannot know if anything else is tainted on there. Fourthly, you should report the machine as being exploited, not only to inform others, but also to make sure the person who abused your machine is not only investigated, but most importantly, they are not implicating you as a suspect, if your end was used to cause more attacks on third parties!
Further, selinux itself cannot guard against rubbish web scripts you have running on the machine. It can only contain processes. If however there was an exploitable kernel on there, you are royally in trouble.
So, hence the reinstall. Make sure you take a full system snapshot first, preferably with memory dump. If this is a virtual machine that is not a problem, if not, there are tools available.
Do NOT touch the backups. Make a copy of the backups and document everything you did, in case forensics people from the police need or want to look at it.
On a last note, this is not really the place to ask for help in investigating a security incident. You should seek proper forensic advice, preferably from somebody who is a CISA or equivalent.
Regards,
Tristan
On Sat, Feb 18, 2012 at 06:58:27AM +0000, Tristan Santore wrote:
On 18/02/12 06:48, Robin Lee Powell wrote:
I just discovered, because setroubleshootd was taking up all my CPU time :D, that there's a script kiddie console on my webserver, which is not only running selinux, but is running it with unconfined mostly off.
This amuses me. Not least because it turns out I copied it over from my previous server 0.o, so it's been around for years.
I've eliminated the immediate problem, in the form of:
iptables -I INPUT -s 180.76.6.0/24 -j DROP iptables -I INPUT -s 180.76.5.0/24 -j DROP
but I invite you all to poke at it:
http://www.lojban.org/story/bok.php
I'm just curious as to whether anyone can get it to do anything *remotely* bad, given my configuration. I'd rather you didn't ruin the machine (although I could certainly recover), but other than that, have at.
-Robin
Robin,
first of all, I doubt anyone wants to even remotely connect to that "console", due to legal reasons.
You're probably right; hadn't thought of that. I don't get to have any fun. :P :)
Secondly, if anyone of us would, it would taint the evidence.
What evidence?
This script was installed on a completely different machine, at a different hosting company; I copied it across myself. The system it was installed on originally no longer exists at all; it has been totally destroyed some months ago.
Thirdly, I strongly suggest you replace the whole system, that is, completely reinstall! You just cannot know if anything else is tainted on there. Fourthly, you should report the machine as being exploited, not only to inform others, but also to make sure the person who abused your machine is not only investigated, but most importantly, they are not implicating you as a suspect, if your end was used to cause more attacks on third parties!
You seem te be dramatically over-estimating how much I care about this particular server's health. :D
You are right about the jumping-off point, but I'm keeping an eye on it; I'm not terribly worried. The pattern of recent use of the script matches a simple botnet running through the various options.
-Robin
On 18/02/12 07:23, Robin Lee Powell wrote:
On Sat, Feb 18, 2012 at 06:58:27AM +0000, Tristan Santore wrote:
On 18/02/12 06:48, Robin Lee Powell wrote:
I just discovered, because setroubleshootd was taking up all my CPU time :D, that there's a script kiddie console on my webserver, which is not only running selinux, but is running it with unconfined mostly off.
This amuses me. Not least because it turns out I copied it over from my previous server 0.o, so it's been around for years.
I've eliminated the immediate problem, in the form of:
iptables -I INPUT -s 180.76.6.0/24 -j DROP iptables -I INPUT -s 180.76.5.0/24 -j DROP
but I invite you all to poke at it:
http://www.lojban.org/story/bok.php
I'm just curious as to whether anyone can get it to do anything *remotely* bad, given my configuration. I'd rather you didn't ruin the machine (although I could certainly recover), but other than that, have at.
-Robin
Robin,
first of all, I doubt anyone wants to even remotely connect to that "console", due to legal reasons.
You're probably right; hadn't thought of that. I don't get to have any fun. :P :)
Secondly, if anyone of us would, it would taint the evidence.
What evidence?
This script was installed on a completely different machine, at a different hosting company; I copied it across myself. The system it was installed on originally no longer exists at all; it has been totally destroyed some months ago.
Thirdly, I strongly suggest you replace the whole system, that is, completely reinstall! You just cannot know if anything else is tainted on there. Fourthly, you should report the machine as being exploited, not only to inform others, but also to make sure the person who abused your machine is not only investigated, but most importantly, they are not implicating you as a suspect, if your end was used to cause more attacks on third parties!
You seem te be dramatically over-estimating how much I care about this particular server's health. :D
You are right about the jumping-off point, but I'm keeping an eye on it; I'm not terribly worried. The pattern of recent use of the script matches a simple botnet running through the various options.
-Robin
If somebody still connects to your exploit/service to conduct other malicious activity, then there would be evidence, needless to say the backdoor is also evidential in nature.
It is nice that you do not care about this too much, but I and others care very much, if your machine is then used to launch attacks on others. That simple iptables inbound block is hardly a deterrent, as you said yourself, botnet is the key word there. Also, you would start caring quite quickly, if the police knocks down your door, accusing you of having broken into some silly US federal website and defaced it, and you could not be bothered to reinstall the machine and making a backup of the infected machine.
I doubt you are some forensics specialist, otherwise you would not have come here in the first place.
You have been provided with good advice, that is all I or we can do as a whole.
Regards, Tristan
selinux@lists.fedoraproject.org