Security Breach ?
Paul Howarth
paul at city-fan.org
Thu Mar 3 08:18:59 UTC 2005
On Thu, 2005-03-03 at 00:11 -0500, Chris Strzelczyk wrote:
> On Mar 3, 2005, at 12:11 AM, Thomas Cameron wrote:
>
> >
> > <snip>
> >
> > Look in /var/tmp - anything there called aVe or uselib24 or bots.txt?
> > Also, look in your /var/log/httpd area for anything weird in access_log
> > or error_log.
>
> Yes, I did have a couple of PERL programs in /var/tmp. One was called
> https and it is attached.
> As far as I understand this vulnerability it is limited to the user
> Apache is run by correct?
You don't say which distribution this web server was running, but I
suspect that if your Apache had been running under SELinux then the
attacker would not have been able to run any scripts from /tmp
or /var/tmp. So, when you rebuild the server, it would be well worth
considering using SELinux.
Paul.
--
Paul Howarth <paul at city-fan.org>
More information about the fedora-list
mailing list