Cacti remote exploit



There appears to be an exploit in the wild which is automating the Cacti Command execution and SQL Injection Vulnerability [see Secunia alert 23528]. Via this exploit, any server running an older version of Cacti from before December 28th.

Of course it’s always best to keep your software up to date. Other tricks to keep your system secure:

  • Do not use default directories. Instead of /cacti/, use /somethingcacti/. This will foil any scripts which find based on server IP and default location (scripts can still find via a search engine search).
  • Run apache using mod_security – this will try to catch SQL injection and remote command execution
  • Mount your temporary directory (usually /tmp) with NOEXEC flag. This will prevent any script kiddies who are able to exploit a vulnerability from running other programs from the /tmp directory that PHP usually dumps things to.

Let me know if you have any other tips like these!