Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FYI:Components of Random JavaScript Toolkit Identified
http://blog.cpanel.net/?p=31
Components of Random JavaScript Toolkit Identified
January 25th, 2008
cPanel announced today that it?s security team has identified several key
components of a hack known as the Random JavaScript Toolkit. The systems
affected by this hack appear to be Linux? based and are running a number of
different hosting platforms. While this compromise is not believed to be
specific to systems running cPanel? software, cPanel has worked with a number
of hosting providers and server owners to investigate this compromise.
The cPanel Security Team has recognized that the vast majority of affected
systems are initially accessed using SSH with no indications of brute force or
exploitation of the underlying service. Despite non-trivial passwords,
intermediary users and nonstandard ports, the attacker is able to gain access
to the affected servers with no password failures. The cPanel security team
also recognized that a majority of the affected servers come from a single
undisclosed data-center. All affected systems have passwordbased authentication
enabled. Based upon these findings, the cPanel security team believes that the
attacker has gained access to a database of root login credentials for a large
group of Linux servers. Once an attacker manually gains access to a system they
can then perform various tasks. The hacker can download, compile, and execute a
log cleaning script in order to hide their tracks. They also can download a
customized root-kit based off of Boxer version 0.99 beta 3. Finally, the
attacker searches for files containing credit card related phrases such as cvc,
cvv, and authorize.
The actual root-kit has been the subject of much speculation. The cPanel
security team asserts that the Boxer variant includes a small web-server which
is how the Javascript is distributed to unsuspecting users of any website on
the server. It is believed that the Javascript include is injected into the
HTML code after Apache? has served the file but before it has traveled through
the TCP transport back to the user of the website. The web-server is not loaded
onto the hard drive directly but loaded directly into memory from the infected
Boxer binaries. More information about the infected binaries can be found at:
http://www.cpanel.net/security/notes/random_js_toolkit.html.
The JavaScript being loaded by this web-server is directing users to another
server that scans the website user for a number of known vulnerabilities. These
vulnerabilities are then used to add the website user to a bot net. More
information about the JavaScript hacks can be found at:
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3.
Cleaning the Random JavaScript Toolkit requires the server to be booted into
single user mode and the removal of all infected binaries. More details on how
to do this can be found at:
http://www.cpanel.net/security/notes/random_js_toolkit.html. The cPanel
security team believes that the hacker has access to the database of login
credentials, the only way to prevent being hacked again is changing the
password and not releasing it to
anyone. The preferred method however is to move to SSH Keys and remove password
authentication altogether.
This compromise has been in the media lately and discussions can be found at
the following locations:
http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html
http://it.slashdot.org/it/08/01/25/148244.shtml
|
