Page 1 of 1
NagiosXI is VULNERABLE
Posted: Wed Jan 13, 2021 10:57 am
by dslaughter
I had a breach this morning that specifically targeted nagiosxi. I've managed to get some of the source of the command dropped. They got in through apache and setup a crontab to download and run their script. My nagiosxi has been taken offline. Please advise what to do next?
Re: NagiosXI is VULNERABLE
Posted: Wed Jan 13, 2021 11:17 am
by dslaughter
I've captured the source but haven't posted. I thought you would like me to pm since the ip addresses its attacking are in there.
Re: NagiosXI is VULNERABLE
Posted: Wed Jan 13, 2021 11:56 am
by dslaughter
I'm on 5.7.4.
Re: NagiosXI is VULNERABLE
Posted: Wed Jan 13, 2021 3:31 pm
by dchurch
I'd advise you to
open a ticket so we can escalate this issue.
You'd save some time getting this resolved if, when you create a ticket, you attach a System Profile zip to the ticket right away. Get one by going to Admin (top menu) => System Profile (in the left menu), then clicking the blue button. If you're unable to generate the the profile through the web interface, please try generating it from the command line by running these commands as root:
Code: Select all
rm -rf /usr/local/nagiosxi/var/components/profile*
/usr/local/nagiosxi/scripts/components/getprofile.sh SUPPORT
The profile we be output to the
/usr/local/nagiosxi/var/components/profile.zip file.
Re: NagiosXI is VULNERABLE
Posted: Mon Jan 18, 2021 8:11 am
by dslaughter
This is fixed in 5.8.0. I've upgraded and should be ok. You can lock this thread.
Re: NagiosXI is VULNERABLE
Posted: Mon Jan 18, 2021 9:25 am
by scottwilkerson
dslaughter wrote:This is fixed in 5.8.0. I've upgraded and should be ok. You can lock this thread.
Locking thread