[cPanel-News] cPanel News Update 1/25/2008
Eric Gregory
eric at cpanel.net
Fri Jan 25 15:31:09 CST 2008
cPanel announced today that it’s security team has identified several
key components of a hack known as the Random JavaScript Toolkit. The
systems affected by this hack appear to be Linux® based and are running
a number of different hosting platforms. While this compromise is not
believed to be specific to systems running cPanel® software, cPanel has
worked with a number of hosting providers and server owners to
investigate this compromise.
The cPanel Security Team has recognized that the vast majority of
affected systems are initially accessed using SSH with no indications of
brute force or exploitation of the underlying service. Despite
non-trivial passwords, intermediary users and nonstandard ports, the
attacker is able to gain access to the affected servers with no password
failures. The cPanel security team also recognized that a majority of
the affected servers come from a single undisclosed data-center. All
affected systems have passwordbased authentication enabled. Based upon
these findings, the cPanel security team believes that the attacker has
gained access to a database of root login credentials for a large group
of Linux servers. Once an attacker manually gains access to a system
they can then perform various tasks. The hacker can download, compile,
and execute a log cleaning script in order to hide their tracks. They
also can download a customized root-kit based off of Boxer version 0.99
beta 3. Finally, the attacker searches for files containing credit card
related phrases such as cvc, cvv, and authorize.
The actual root-kit has been the subject of much speculation. The cPanel
security team asserts that the Boxer variant includes a small web-server
which is how the Javascript is distributed to unsuspecting users of any
website on the server. It is believed that the Javascript include is
injected into the HTML code after Apache® has served the file but before
it has traveled through the TCP transport back to the user of the
website. The web-server is not loaded onto the hard drive directly but
loaded directly into memory from the infected Boxer binaries. More
information about the infected binaries can be found at:
http://www.cpanel.net/security/notes/random_js_toolkit.html.
The JavaScript being loaded by this web-server is directing users to
another server that scans the website user for a number of known
vulnerabilities. These vulnerabilities are then used to add the website
user to a bot net. More information about the JavaScript hacks can be
found at:
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3.
Cleaning the Random JavaScript Toolkit requires the server to be booted
into single user mode and the removal of all infected binaries. More
details on how to do this can be found at:
http://www.cpanel.net/security/notes/random_js_toolkit.html.
The cPanel security team believes that the hacker has access to the
database of login credentials, the only way to prevent being hacked
again is changing the password and not releasing it to anyone. The
preferred method however is to move to SSH Keys and remove password
authentication altogether.
Other Press
This compromise has been in the media lately and discussions can be
found at
the following locations:
http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html
http://it.slashdot.org/it/08/01/25/148244.shtml
More information about the News
mailing list