Peter Ross <Peter.Ross@bogen.in-berlin.de> wrote:
The damage there does not make too much sense. Maybe just a test run to figure out whether the site is vulnerable?
I have to admit, my criminal imagination isn't that great. So I better stop musing about it, and see what can be done to fix it.
I would expect that in the absence of a strong SELinux policy, whoever compromised the Web application could run a shell on the machine, at which stage it's only a local root exploit away from disaster. I would be looking carefully for root kits just in case they've taken that step. It's entirely possible, of course, that the crackers don't have the tools to carry out an exploit and install a root kit, but if it were my machine I wouldn't be making that assumption.