On 5/24/07, Big Wave Dave <bigwavedave at gmail.com> wrote: > > <snip> > > The problem is that leaving cacti open was the most stupid thing I've > done. > > After checking /var/log/httpd/error_log, I saw that someone exploited a > > cacti php file and the result was: > <snip> > > which immediately downloaded ShellBOT to /tmp and executed it. It was a > good > > thing I caught this as early as I did. So, what's everyone elses > solution > > these days? Or is it simply a matter of creating a /tmp partition and > > mounting it noexec? > <snip> > > Using htaccess in addition to the built-in Cacti auth might be > helpful. What version of Cacti were you running? Unfortunately I had to not limit access to Cacti, as I had to connect to it from different IP addresses. I was running Cacti 0.8.6h from dag.wieers.com. I couldn't get 0.8.6j to work for some reason, so I had to fall back to 0.8.6h. For reference, here's what error_log had with regards to the exploited Cacti: [client 217.11.132.214] PHP Notice: Undefined index: 1 in /var/www/cacti/lib/functions.php on line 455 [client 217.11.132.214] PHP Notice: Undefined index: total_polls in /var/www/cacti/lib/functions.php on line 455 [client 217.11.132.214] PHP Notice: Undefined index: failed_polls in /var/www/cacti/lib/functions.php on line 456 [client 217.11.132.214] PHP Notice: Undefined index: snmp_community in /var/www/cacti/lib/functions.php on line 467 [client 217.11.132.214] PHP Notice: Undefined index: max_time in /var/www/cacti/lib/functions.php on line 480 [client 217.11.132.214] PHP Notice: Undefined index: min_time in /var/www/cacti/lib/functions.php on line 484 [client 217.11.132.214] PHP Notice: Undefined index: failed_polls in /var/www/cacti/lib/functions.php on line 488 [client 217.11.132.214] PHP Notice: Undefined index: avg_time in /var/www/cacti/lib/functions.php on line 489 [client 217.11.132.214] PHP Notice: Undefined index: failed_polls in /var/www/cacti/lib/functions.php on line 489 [client 217.11.132.214] PHP Notice: Undefined index: status in /var/www/cacti/lib/functions.php on line 492 [client 217.11.132.214] PHP Notice: Undefined index: status in /var/www/cacti/lib/functions.php on line 492 [client 217.11.132.214] PHP Notice: Undefined index: status_fail_date in /var/www/cacti/lib/functions.php on line 568 [client 217.11.132.214] PHP Notice: Undefined index: status_rec_date in /var/www/cacti/lib/functions.php on line 569 [client 217.11.132.214] PHP Notice: Undefined index: status_last_error in /var/www/cacti/lib/functions.php on line 570 [client 217.11.132.214] PHP Notice: Undefined index: min_time in /var/www/cacti/lib/functions.php on line 571 [client 217.11.132.214] PHP Notice: Undefined index: max_time in /var/www/cacti/lib/functions.php on line 572 [client 217.11.132.214] PHP Notice: Undefined index: failed_polls in /var/www/cacti/lib/functions.php on line 576 [client 217.11.132.214] PHP Notice: Undefined index: hostname in /var/www/cacti/lib/functions.php on line 578 Something like > mod_security might be helpful as well. Dave Thanks Dave, I'll look into that later. I still have a lot of investigating and testing to do with this. dex -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070524/a6ab44c0/attachment-0005.html>