Possible bad xi config flies, restoring nagiosxi defaults

rbuckle · Post by **rbuckle** » Wed Jan 20, 2021 2:43 pm

Good afternoon,

I am currently having issues with npcd not starting and a singular process overwhelming my processor. Is there a way for me to restore all the default xi/nagios/centos configs while keeping the host/service/mrtg configs intact?

rbuckle · Post by **rbuckle** » Wed Jan 20, 2021 2:45 pm

Attached screenshot

rbuckle · Post by **rbuckle** » Wed Jan 20, 2021 3:09 pm

found the issue in the npcd.conf and repaired, just want to know what this avalon process is now

benjaminsmith · Post by **benjaminsmith** » Thu Jan 21, 2021 4:21 pm

Hi @rbuckle,

Unfortunately, that is a piece of malware that has been installed on the server. We have identified the possible exploit as an unauthenticated remote code execution (RCE) vulnerability as the apache user in the Docker config wizard and have filed CVE-2021-3193.
https://www.nagios.com/products/security/

To resolve this, please update all the configuration wizards right away in Nagios xi by going to Admin > System Extensions > Manage Config Wizards select the Check for Updates button and then select Install Updates.

See the following video for more details:
https://support.nagios.com/kb/article/n ... s-836.html

To disinfect this server, please run the following commands:

Code: Select all

You will ALSO then want to run this script as the root user to disinfect the machine:
for (( x = 0; x < 100; ++x)); do
chattr -i /etc/crontab
chattr -i /tmp/avalonsaber
chattr -R -i /var/spool/cron
echo | crontab -
echo | crontab -u nagios -
pkill -9 avalonsaber
pkill -9 lwp-download
pkill -9 curl
pkill -9 wget
rm -rf /tmp/avalonsaber
done

And then remove the following file:

Code: Select all

rm -rf /usr/local/nagvis/share/userfiles/scripts/userfile.php

Let us know if you need assistance with anything else regarding this issue.

Best Regards,
Benjamin

rbuckle · Post by **rbuckle** » Thu Jan 21, 2021 4:45 pm

That is kind of what i figured, I had already removed most of it and saw the improvement to the machine but thank you for the code to clear the rest...

You can lock this topic and thank you

benjaminsmith · Post by **benjaminsmith** » Fri Jan 22, 2021 10:14 am

Hi,

You can lock this topic and thank you

Great. Glad to hear this is resolved for you.

Best Regards,
Benjamin

Nagios Support Forum

Possible bad xi config flies, restoring nagiosxi defaults

Possible bad xi config flies, restoring nagiosxi defaults

Re: Possible bad xi config flies, restoring nagiosxi default

Avalon process?

Re: Possible bad xi config flies, restoring nagiosxi default

Re: Possible bad xi config flies, restoring nagiosxi default

Re: Possible bad xi config flies, restoring nagiosxi default