<snip>
> The problem is that leaving cacti open was the most stupid thing I've done.
> After checking /var/log/httpd/error_log, I saw that someone exploited a
> cacti php file and the result was:
<snip>
> which immediately downloaded ShellBOT to /tmp and executed it. It was a good
> thing I caught this as early as I did. So, what's everyone elses solution
> these days? Or is it simply a matter of creating a /tmp partition and
> mounting it noexec?
<snip>
Using htaccess in addition to the built-in Cacti auth might be
helpful. What version of Cacti were you running?
Unfortunately I had to not limit access to Cacti, as I had to connect to it from different IP addresses. I was running Cacti 0.8.6h from dag.wieers.com. I couldn't get 0.8.6j to work for some reason, so I had to fall back to 0.8.6h. For reference, here's what error_log had with regards to the exploited Cacti:
[client 217.11.132.214] PHP Notice: Undefined index: 1 in /var/www/cacti/lib/functions.php on line 455
[client 217.11.132.214] PHP Notice: Undefined index: total_polls in /var/www/cacti/lib/functions.php on line 455
[client 217.11.132.214] PHP Notice: Undefined index: failed_polls in /var/www/cacti/lib/functions.php on line 456
[client 217.11.132.214] PHP Notice: Undefined index: snmp_community in /var/www/cacti/lib/functions.php on line 467
[client 217.11.132.214] PHP Notice: Undefined index: max_time in /var/www/cacti/lib/functions.php on line 480
[client 217.11.132.214] PHP Notice: Undefined index: min_time in /var/www/cacti/lib/functions.php on line 484
[client 217.11.132.214] PHP Notice: Undefined index: failed_polls in /var/www/cacti/lib/functions.php on line 488
[client 217.11.132.214] PHP Notice: Undefined index: avg_time in /var/www/cacti/lib/functions.php on line 489
[client 217.11.132.214] PHP Notice: Undefined index: failed_polls in /var/www/cacti/lib/functions.php on line 489
[client 217.11.132.214] PHP Notice: Undefined index: status in /var/www/cacti/lib/functions.php on line 492
[client 217.11.132.214] PHP Notice: Undefined index: status in /var/www/cacti/lib/functions.php on line 492
[client 217.11.132.214] PHP Notice: Undefined index: status_fail_date in /var/www/cacti/lib/functions.php on line 568
[client 217.11.132.214] PHP Notice: Undefined index: status_rec_date in /var/www/cacti/lib/functions.php on line 569
[client 217.11.132.214] PHP Notice: Undefined index: status_last_error in /var/www/cacti/lib/functions.php on line 570
[client 217.11.132.214] PHP Notice: Undefined index: min_time in /var/www/cacti/lib/functions.php on line 571
[client 217.11.132.214] PHP Notice: Undefined index: max_time in /var/www/cacti/lib/functions.php on line 572
[client 217.11.132.214] PHP Notice: Undefined index: failed_polls in /var/www/cacti/lib/functions.php on line 576
[client 217.11.132.214] PHP Notice: Undefined index: hostname in /var/www/cacti/lib/functions.php on line 578
Something like
mod_security might be helpful as well.
Dave
Thanks Dave, I'll look into that later. I still have a lot of investigating and testing to do with this.
dex
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
