[cPanel-News] cPanel News Update 1/25/2008

Eric Gregory eric at cpanel.net
Fri Jan 25 15:31:09 CST 2008 

cPanel announced today that it’s security team has identified several 
key components of a hack known as the Random JavaScript Toolkit. The 
systems affected by this hack appear to be Linux® based and are running 
a number of different hosting platforms. While this compromise is not 
believed to be specific to systems running cPanel® software, cPanel has 
worked with a number of hosting providers and server owners to 
investigate this compromise.

The cPanel Security Team has recognized that the vast majority of 
affected systems are initially accessed using SSH with no indications of 
brute force or exploitation of the underlying service. Despite 
non-trivial passwords, intermediary users and nonstandard ports, the 
attacker is able to gain access to the affected servers with no password 
failures. The cPanel security team also recognized that a majority of 
the affected servers come from a single undisclosed data-center. All 
affected systems have passwordbased authentication enabled. Based upon 
these findings, the cPanel security team believes that the attacker has 
gained access to a database of root login credentials for a large group 
of Linux servers. Once an attacker manually gains access to a system 
they can then perform various tasks. The hacker can download, compile, 
and execute a log cleaning script in order to hide their tracks. They 
also can download a customized root-kit based off of Boxer version 0.99 
beta 3. Finally, the attacker searches for files containing credit card 
related phrases such as cvc, cvv, and authorize.

The actual root-kit has been the subject of much speculation. The cPanel 
security team asserts that the Boxer variant includes a small web-server 
which is how the Javascript is distributed to unsuspecting users of any 
website on the server. It is believed that the Javascript include is 
injected into the HTML code after Apache® has served the file but before 
it has traveled through the TCP transport back to the user of the 
website. The web-server is not loaded onto the hard drive directly but 
loaded directly into memory from the infected Boxer binaries. More 
information about the infected binaries can be found at: 
http://www.cpanel.net/security/notes/random_js_toolkit.html.

The JavaScript being loaded by this web-server is directing users to 
another server that scans the website user for a number of known 
vulnerabilities. These vulnerabilities are then used to add the website 
user to a bot net. More information about the JavaScript hacks can be 
found at: 
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3.

Cleaning the Random JavaScript Toolkit requires the server to be booted 
into single user mode and the removal of all infected binaries. More 
details on how to do this can be found at: 
http://www.cpanel.net/security/notes/random_js_toolkit.html.

The cPanel security team believes that the hacker has access to the 
database of login credentials, the only way to prevent being hacked 
again is changing the password and not releasing it to anyone. The 
preferred method however is to move to SSH Keys and remove password 
authentication altogether.

Other Press

This compromise has been in the media lately and discussions can be 
found at
the following locations:

http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html
http://it.slashdot.org/it/08/01/25/148244.shtml

More information about the News mailing list