NagiosXI is VULNERABLE

dslaughter · Post by **dslaughter** » Wed Jan 13, 2021 10:57 am

I had a breach this morning that specifically targeted nagiosxi. I've managed to get some of the source of the command dropped. They got in through apache and setup a crontab to download and run their script. My nagiosxi has been taken offline. Please advise what to do next?

dslaughter · Post by **dslaughter** » Wed Jan 13, 2021 11:17 am

I've captured the source but haven't posted. I thought you would like me to pm since the ip addresses its attacking are in there.

dslaughter · Post by **dslaughter** » Wed Jan 13, 2021 11:56 am

I'm on 5.7.4.

dchurch · Post by **dchurch** » Wed Jan 13, 2021 3:31 pm

I'd advise you to open a ticket so we can escalate this issue.

You'd save some time getting this resolved if, when you create a ticket, you attach a System Profile zip to the ticket right away. Get one by going to Admin (top menu) => System Profile (in the left menu), then clicking the blue button. If you're unable to generate the the profile through the web interface, please try generating it from the command line by running these commands as root:

Code: Select all

rm -rf /usr/local/nagiosxi/var/components/profile*
/usr/local/nagiosxi/scripts/components/getprofile.sh SUPPORT

The profile we be output to the /usr/local/nagiosxi/var/components/profile.zip file.

dslaughter · Post by **dslaughter** » Mon Jan 18, 2021 8:11 am

This is fixed in 5.8.0. I've upgraded and should be ok. You can lock this thread.

scottwilkerson · Post by **scottwilkerson** » Mon Jan 18, 2021 9:25 am

dslaughter wrote:This is fixed in 5.8.0. I've upgraded and should be ok. You can lock this thread.

Locking thread

Nagios Support Forum

NagiosXI is VULNERABLE

NagiosXI is VULNERABLE

Re: NagiosXI is VULNERABLE

Re: NagiosXI is VULNERABLE

Re: NagiosXI is VULNERABLE

Re: NagiosXI is VULNERABLE

Re: NagiosXI is VULNERABLE