[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Help with AVC messages

From: James Morris <jmorris namei org>
To: Kristen R <kris_s atmyhome org>
Cc: fedora-selinux-list redhat com
Subject: Re: Help with AVC messages
Date: Thu, 11 Sep 2008 09:31:42 +1000 (EST)

On Wed, 10 Sep 2008, Kristen R wrote:

> Last night I had a users website hacked. The hacker then tried to use httpd to 
> access /etc files and directorys, as well as the root directory. SELinux 
> saved my system.
> 
> I need to make a complaint to the ISP who is providing for this offender. I 
> have http access logs and error logs but they don't show very much. Other 
> then access which was valid (well, not valid) and 2 entries in the error log. 
> Is there a way I can correlate the AVC denials with the malious attacker? The 
> AVC messages do not have time stamps or IP addresses attached to them.
> 
> Thank you for your assistance, and for SELinux!

You should be able to find more detailed information in the audit log.

Try "ausearch -x httpd"

Any idea how they attacked the web server?


- James
-- 
James Morris
<jmorris namei org>

Follow-Ups:
- Re: Help with AVC messages
  - From: Kristen R

References:
- Help with AVC messages
  - From: Kristen R

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]