[CentOS] Suggested way to remotely monitor servers and networks these days?

Thu May 24 01:21:24 UTC 2007
Dexter Ang <thepoch at gmail.com>

On 5/24/07, Big Wave Dave <bigwavedave at gmail.com> wrote:
>
> <snip>
> > The problem is that leaving cacti open was the most stupid thing I've
> done.
> > After checking /var/log/httpd/error_log, I saw that someone exploited a
> > cacti php file and the result was:
> <snip>
> > which immediately downloaded ShellBOT to /tmp and executed it. It was a
> good
> > thing I caught this as early as I did. So, what's everyone elses
> solution
> > these days? Or is it simply a matter of creating a /tmp partition and
> > mounting it noexec?
> <snip>
>
> Using htaccess in addition to the built-in Cacti auth might be
> helpful.  What version of Cacti were you running?


Unfortunately I had to not limit access to Cacti, as I had to connect to it
from different IP addresses. I was running Cacti 0.8.6h from dag.wieers.com.
I couldn't get 0.8.6j to work for some reason, so I had to fall back to
0.8.6h. For reference, here's what error_log had with regards to the
exploited Cacti:

[client 217.11.132.214] PHP Notice:  Undefined index:  1 in
/var/www/cacti/lib/functions.php on line 455
[client 217.11.132.214] PHP Notice:  Undefined index:  total_polls in
/var/www/cacti/lib/functions.php on line 455
[client 217.11.132.214] PHP Notice:  Undefined index:  failed_polls in
/var/www/cacti/lib/functions.php on line 456
[client 217.11.132.214] PHP Notice:  Undefined index:  snmp_community in
/var/www/cacti/lib/functions.php on line 467
[client 217.11.132.214] PHP Notice:  Undefined index:  max_time in
/var/www/cacti/lib/functions.php on line 480
[client 217.11.132.214] PHP Notice:  Undefined index:  min_time in
/var/www/cacti/lib/functions.php on line 484
[client 217.11.132.214] PHP Notice:  Undefined index:  failed_polls in
/var/www/cacti/lib/functions.php on line 488
[client 217.11.132.214] PHP Notice:  Undefined index:  avg_time in
/var/www/cacti/lib/functions.php on line 489
[client 217.11.132.214] PHP Notice:  Undefined index:  failed_polls in
/var/www/cacti/lib/functions.php on line 489
[client 217.11.132.214] PHP Notice:  Undefined index:  status in
/var/www/cacti/lib/functions.php on line 492
[client 217.11.132.214] PHP Notice:  Undefined index:  status in
/var/www/cacti/lib/functions.php on line 492
[client 217.11.132.214] PHP Notice:  Undefined index:  status_fail_date in
/var/www/cacti/lib/functions.php on line 568
[client 217.11.132.214] PHP Notice:  Undefined index:  status_rec_date in
/var/www/cacti/lib/functions.php on line 569
[client 217.11.132.214] PHP Notice:  Undefined index:  status_last_error in
/var/www/cacti/lib/functions.php on line 570
[client 217.11.132.214] PHP Notice:  Undefined index:  min_time in
/var/www/cacti/lib/functions.php on line 571
[client 217.11.132.214] PHP Notice:  Undefined index:  max_time in
/var/www/cacti/lib/functions.php on line 572
[client 217.11.132.214] PHP Notice:  Undefined index:  failed_polls in
/var/www/cacti/lib/functions.php on line 576
[client 217.11.132.214] PHP Notice:  Undefined index:  hostname in
/var/www/cacti/lib/functions.php on line 578


Something like
> mod_security might be helpful as well.

Dave


Thanks Dave, I'll look into that later. I still have a lot of investigating
and testing to do with this.

dex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20070524/a6ab44c0/attachment-0005.html>