On Thu, 24 May 2007, Dexter Ang wrote: > Hi folks, > > I'm just wondering what is the recommended way of monitoring servers and > networks remotely. My current setup is to install and configure cacti and > nagios. I've set these up to require SSL. This way, I can easily go to them > and login from wherever I am and monitor (almost) everything I need to > monitor. You might want to look at hobbit. http://sourceforge.net/projects/hobbitmon/ I find it much easier to manage than nagios. Besides the UI looks nicer. :-) > > The problem is that leaving cacti open was the most stupid thing I've done. > After checking /var/log/httpd/error_log, I saw that someone exploited a > cacti php file and the result was: > > --08:13:11-- http://psaico.host.sk/desk.pl > => `/tmp/desk.pl' > Resolving psaico.host.sk... 62.168.109.150 > Connecting to psaico.host.sk|62.168.109.150|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 20,144 (20K) [text/x-perl] > > 0K .......... ......... 100% 28.26KB/s > > 08:13:13 (28.26 KB/s) - `/tmp/desk.pl' saved [20144/20144] > > which immediately downloaded ShellBOT to /tmp and executed it. It was a good > thing I caught this as early as I did. So, what's everyone elses solution > these days? Or is it simply a matter of creating a /tmp partition and > mounting it noexec? > > On a side note... anyone with experience with ShellBOT? From research, it > seems to attempt to connect to an IRC server upon running. So if my outgoing > connections are secured by iptables, can I assume it never got connected at > all? I'll probably try this out someday but just looking for a quick > experienced answer. It does not matter if they connected or not. The bottom line the machine was hacked and someting got installed that does not belong there. There is no way at this point to be sure that they did not install something else or modify binaries to hide their tracks. So now the only to be sure there is not something in that machine is to reload it. Anything less and you will never know for sure. Regards, -- Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com