[PLUG] Questions regarding compromised system

jason justman jason at jasonjustman.com
Fri Jan 19 20:39:33 UTC 2007


NANOG has had a recent discussion about the dangers of CACTI, 
referencing this secunia vulnerability:

http://secunia.com/advisories/23528/

issue #1 is the worst, the full exploit usually requires a local root 
compromise to be truly fruitful (escalation from apache->root)

j

Russell Senior wrote:
> FWIW, we recently had a PTP box exploited, apparently using a
> vulnerability in Cacti.  At least it got hammered DoS'd into
> inoperability.  There are some indications that they were never able
> to complete their exploit, because the script they wanted to download
> at first couldn't get through the captive portal and/or because the
> directory they were trying to copy the script to didn't have
> compatible write permissions.
>
> However, we rebooted the machine before we really figured out for sure
> what they had managed to do.  Because of the uncertainty, we
> reinstalled from scratch, which had the downside (or perverse benefit,
> though that is hard to see at the moment) of having to re-figure out
> how to configure Cacti for what we wanted to do.  We made a copy of
> the compromised system first.
>
> For reasons I don't quite understand, despite a bug being filed about
> the vulnerability and now, subsequently resolved, it never got a
> mention on the Debian Security Advisory, even to this day.
>
>
>   




More information about the PLUG mailing list