Help with AVC messages
James Morris
jmorris at namei.org
Wed Sep 10 23:31:42 UTC 2008
On Wed, 10 Sep 2008, Kristen R wrote:
> Last night I had a users website hacked. The hacker then tried to use httpd to
> access /etc files and directorys, as well as the root directory. SELinux
> saved my system.
>
> I need to make a complaint to the ISP who is providing for this offender. I
> have http access logs and error logs but they don't show very much. Other
> then access which was valid (well, not valid) and 2 entries in the error log.
> Is there a way I can correlate the AVC denials with the malious attacker? The
> AVC messages do not have time stamps or IP addresses attached to them.
>
> Thank you for your assistance, and for SELinux!
You should be able to find more detailed information in the audit log.
Try "ausearch -x httpd"
Any idea how they attacked the web server?
- James
--
James Morris
<jmorris at namei.org>
More information about the selinux
mailing list