Trying to track down why httpd would be trying to connect to a tor port

Matthew Larsen utegrad at gmail.com
Fri Feb 6 17:00:30 MST 2015


I'm seeing occasional selinux denied messages in my logs that I believe
indicate that the httpd process is trying to connect to a tor port:

type=AVC msg=audit(1423247604.799:1966): avc: *denied* { *name_connect* }
for pid=25650 comm="*httpd*" dest=*9050* scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:*tor_port_t*:s0 tclass=tcp_socket

This server is not directly connected to the Internet. All the HTTP
requests are proxied from a server that is connected to the Internet with
HAProxy to pass requests back and forth. The web sites on the server are
WordPress sites in a few different virtual hosts. None of the sites are
very busy.

I don't want to turn on the sebool to allow httpd to network connect to
just anywhere, and this looks like a good reason not to.

My concern is, why is the httpd process is trying to do this at all and
that the server may be compromised somehow.  Maybe it's just a failed
attempt at a hack through a crafted http request?

Any suggestions for how to track down the source that's causing these
network connection attempts?
Thanks,
ML


More information about the PLUG mailing list