SE Linux Attack Alerts. How to root out the source?

Zeitus42 · #1 20th October 2009, 10:04 PM

Hey recently I have been receiving attack alerts. And I would like to root out the source of the problem. I'll give you the messages. If you could help me prevent this hacker from even being able to attempt these things please any advice is helpful.

There have been memory stack attempts, failed sys_admin conversion attempts, password file write attempts etc.....

Sys_admin attempt

Code:

Summary:

SELinux is preventing gdm-session-wor (xdm_t) "sys_admin" to <Unknown> (xdm_t).

Detailed Description:

SELinux denied access requested by gdm-session-wor. The current boolean settings
do not allow this access. If you have not setup gdm-session-wor to require this
access this may signal an intrusion attempt. If you do intend this access you
need to change the booleans on this system to allow the access.

Allowing Access:

Confined processes can be configured to to run requiring different access,
SELinux provides booleans to allow you to turn on/off access as needed. The
boolean allow_polyinstantiation is set incorrectly.
Boolean Description:
Enable polyinstantiated directory support.


Fix Command:

# setsebool -P allow_polyinstantiation 1

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        gdm-session-wor
Source Path                   <Unknown>
Port                          <Unknown>
Host                          10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.
                              com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-83.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_boolean
Host Name                     10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.
                              com
Platform                      Linux 10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0
                              l1O01.com 2.6.30.8-64.fc11.i686.PAE #1 SMP Fri Sep
                              25 04:56:58 EDT 2009 i686 i686
Alert Count                   3
First Seen                    Wed 14 Oct 2009 11:39:40 PM NZDT
Last Seen                     Wed 14 Oct 2009 11:54:17 PM NZDT
Local ID                      a85dc046-960c-47ef-a430-a1b18b55c60f
Line Numbers                  

Raw Audit Messages            

node=10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.com type=AVC msg=audit(1255517657.112:22): avc:  denied  { sys_admin } for  pid=1799 comm="gdm-session-wor" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability

Attempt at writing to shadow:

Code:

Summary:

SELinux is preventing gdm-session-wor (xdm_t) "write" shadow_t.

Detailed Description:

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:shadow_t:s0
Target Objects                /etc/.pwd.lock [ file ]
Source                        gdm-session-wor
Source Path                   <Unknown>
Port                          <Unknown>
Host                          10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.
                              com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-83.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.
                              com
Platform                      Linux 10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0
                              l1O01.com 2.6.30.8-64.fc11.i686.PAE #1 SMP Fri Sep
                              25 04:56:58 EDT 2009 i686 i686
Alert Count                   261
First Seen                    Sat 17 Oct 2009 01:58:41 PM NZDT
Last Seen                     Sat 17 Oct 2009 02:04:48 PM NZDT
Local ID                      f52c3b7d-23bd-4b97-96bb-2eeaeff18f82
Line Numbers                  

Raw Audit Messages            

node=10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.com type=AVC msg=audit(1255741488.23:81): avc:  denied  { write } for  pid=1784 comm="gdm-session-wor" name=".pwd.lock" dev=sdb7 ino=11598 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file

Memory stack attempt:

Code:

Summary:

SELinux is preventing works from making the program stack executable.

Detailed Description:

The works application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If works does not work and you need it to work, you
can configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust works to
run correctly, you can change the context of the executable to execmem_exec_t.
"chcon -t execmem_exec_t '<Unknown>'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t execmem_exec_t '<Unknown>'"

Fix Command:

chcon -t execmem_exec_t '<Unknown>'

Additional Information:

Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source works
Source Path <Unknown>
Port <Unknown>
Host 10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.
com
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.6.12-85.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name 10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.
com
Platform Linux 10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0
l1O01.com 2.6.30.8-64.fc11.i686.PAE #1 SMP Fri Sep
25 04:56:58 EDT 2009 i686 i686
Alert Count 28
First Seen Sat 17 Oct 2009 10:53:44 AM NZDT
Last Seen Wed 21 Oct 2009 09:53:30 AM NZDT
Local ID 3c76e2ac-2b15-42ad-a290-58c4bdbad31c
Line Numbers

Raw Audit Messages

node=10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.com type=AVC msg=audit(1256072010.336:26): avc: denied { execstack } for pid=3065 comm="works" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

Zeitus42 · #2 20th October 2009, 10:11 PM

Attempts to hijack 'Nautilus' the file system manger:

Code:

Summary:

SELinux is preventing nautilus (unconfined_t) "setattr" unconfined_t.

Detailed Description:

SELinux denied access requested by nautilus. It is not expected that this access
is required by nautilus and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                fd [ dir ]
Source                        nautilus
Source Path                   <Unknown>
Port                          <Unknown>
Host                          10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.
                              com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-83.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.
                              com
Platform                      Linux 10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0
                              l1O01.com 2.6.30.8-64.fc11.i686.PAE #1 SMP Fri Sep
                              25 04:56:58 EDT 2009 i686 i686
Alert Count                   6
First Seen                    Fri 16 Oct 2009 04:06:13 PM NZDT
Last Seen                     Fri 16 Oct 2009 06:10:44 PM NZDT
Local ID                      fd6acf50-8982-445f-b068-81a41b2ff2b8
Line Numbers                  

Raw Audit Messages            

node=10lO1l01O0l101l0O10l1O01.10lO1l01O0l101l0Ol0l1O01.com type=AVC msg=audit(1255669844.566:30): avc:  denied  { setattr } for  pid=2821 comm="nautilus" name="fd" dev=proc ino=38041 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir

Nokia · #3 20th October 2009, 10:55 PM

Code:

[root@main ~]# rpm -q selinux-policy
selinux-policy-3.6.12-85.fc11.noarch

First do

Code:

su
yum update --enablerepo=u*g
reboot

Then come back with new avc denials if any, but post the output for this command instead of what you posted earlier

Code:

su
ausearch -m avc -ts today

Zeitus42 · #4 21st October 2009, 11:28 PM

Hey there, heres the output of those commands. I have recently updated all my packages too.

Code:

rpm -q selinux-policy
selinux-policy-3.6.12-85.fc11.noarch
[outputString@10lO1l01O0l101l0O10l1O01 ~]$ sudo ausearch -m avc -ts today
----
time->Thu Oct 22 11:18:08 2009
type=SYSCALL msg=audit(1256163488.629:9): arch=40000003 syscall=4 success=no exit=-13 a0=2 a1=bfb0d770 a2=35 a3=35 items=0 ppid=1267 pid=1268 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1256163488.629:9): avc:  denied  { use } for  pid=1268 comm="dbus-daemon" path="/1" dev=devpts ino=4 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=fd
----
time->Thu Oct 22 11:18:29 2009
type=SYSCALL msg=audit(1256163509.120:10): arch=40000003 syscall=5 success=no exit=-13 a0=9f24518 a1=8000 a2=0 a3=9f22628 items=0 ppid=1610 pid=1770 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1256163509.120:10): avc:  denied  { read } for  pid=1770 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=59 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
----
time->Thu Oct 22 11:18:48 2009
type=SYSCALL msg=audit(1256163528.199:18): arch=40000003 syscall=33 success=no exit=-13 a0=9f87fe8 a1=6 a2=5731a4 a3=9f87fe8 items=0 ppid=1770 pid=1995 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1256163528.199:18): avc:  denied  { read write } for  pid=1995 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=22 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
----
time->Thu Oct 22 11:18:48 2009
type=SYSCALL msg=audit(1256163528.199:19): arch=40000003 syscall=5 success=no exit=-13 a0=9f87fe8 a1=442 a2=180 a3=9f87fe8 items=0 ppid=1770 pid=1995 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1256163528.199:19): avc:  denied  { read append } for  pid=1995 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=22 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
----
time->Thu Oct 22 11:19:28 2009
type=SYSCALL msg=audit(1256163568.751:21): arch=40000003 syscall=125 success=no exit=-13 a0=bfb86000 a1=1000 a2=1000007 a3=bfb86030 items=0 ppid=2574 pid=2575 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="works" exe="/usr/lib/opera/works" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1256163568.751:21): avc:  denied  { execstack } for  pid=2575 comm="works" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Oct 22 11:19:28 2009
type=SYSCALL msg=audit(1256163568.815:22): arch=40000003 syscall=125 success=no exit=-13 a0=bf930000 a1=1000 a2=1000007 a3=bf9306a4 items=0 ppid=2578 pid=2579 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="works" exe="/usr/lib/opera/works" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1256163568.815:22): avc:  denied  { execstack } for  pid=2579 comm="works" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Oct 22 11:19:28 2009
type=SYSCALL msg=audit(1256163568.723:20): arch=40000003 syscall=125 success=no exit=-13 a0=bfb86000 a1=1000 a2=1000007 a3=bfb86170 items=0 ppid=2574 pid=2575 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="works" exe="/usr/lib/opera/works" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1256163568.723:20): avc:  denied  { execstack } for  pid=2575 comm="works" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Oct 22 11:19:28 2009
type=SYSCALL msg=audit(1256163568.815:23): arch=40000003 syscall=125 success=no exit=-13 a0=bf930000 a1=1000 a2=1000007 a3=bf93054c items=0 ppid=2578 pid=2579 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="works" exe="/usr/lib/opera/works" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1256163568.815:23): avc:  denied  { execstack } for  pid=2579 comm="works" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

Zeitus42 · #5 22nd October 2009, 05:58 AM

Heres a screenshot of some files that had their owner changed?? How is this even possible?

Nokia · #6 22nd October 2009, 07:26 AM

Two things:

1.
You are NOT under attack. You seem to have a problem regarding Opera, but that's all. We'll talk about a possible fix later. (Gotta run now...)

2. Your screenshot is irrelevant