Trying to track down why httpd would be trying to connect to a tor port

Kenny Long long.kenny at gmail.com
Fri Feb 6 21:51:01 MST 2015


A couple of thoughts that may be long shots:
1.  I would see if auditd or strace can help you out.
2.  You could run volatility against the process.

Let me know if you run into questions with either.
I'm seeing occasional selinux denied messages in my logs that I believe
indicate that the httpd process is trying to connect to a tor port:

type=AVC msg=audit(1423247604.799:1966): avc: *denied* { *name_connect* }
for pid=25650 comm="*httpd*" dest=*9050*
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:*tor_port_t*:s0 tclass=tcp_socket

This server is not directly connected to the Internet. All the HTTP
requests are proxied from a server that is connected to the Internet with
HAProxy to pass requests back and forth. The web sites on the server are
WordPress sites in a few different virtual hosts. None of the sites are
very busy.

I don't want to turn on the sebool to allow httpd to network connect to
just anywhere, and this looks like a good reason not to.

My concern is, why is the httpd process is trying to do this at all and
that the server may be compromised somehow.  Maybe it's just a failed
attempt at a hack through a crafted http request?

Any suggestions for how to track down the source that's causing these
network connection attempts?
Thanks,
ML

/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/


More information about the PLUG mailing list