24 May
2007
24 May
'07
1:05 a.m.
<snip>
The problem is that leaving cacti open was the most stupid thing I've done. After checking /var/log/httpd/error_log, I saw that someone exploited a cacti php file and the result was:
<snip>
which immediately downloaded ShellBOT to /tmp and executed it. It was a good thing I caught this as early as I did. So, what's everyone elses solution these days? Or is it simply a matter of creating a /tmp partition and mounting it noexec?
<snip>
Using htaccess in addition to the built-in Cacti auth might be helpful. What version of Cacti were you running? Something like mod_security might be helpful as well.
Dave