ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI:Components of Random JavaScript Toolkit Identified



http://blog.cpanel.net/?p=31
Components of Random JavaScript Toolkit Identified
January 25th, 2008

cPanel announced today that it?s security team has identified several key 
components of a hack known as the Random JavaScript Toolkit. The systems 
affected by this hack appear to be Linux? based and are running a number of 
different hosting platforms. While this compromise is not believed to be 
specific to systems running cPanel? software, cPanel has worked with a number 
of hosting providers and server owners to investigate this compromise.

The cPanel Security Team has recognized that the vast majority of affected 
systems are initially accessed using SSH with no indications of brute force or 
exploitation of the underlying service. Despite non-trivial passwords, 
intermediary users and nonstandard ports, the attacker is able to gain access 
to the affected servers with no password failures. The cPanel security team 
also recognized that a majority of the affected servers come from a single 
undisclosed data-center. All affected systems have passwordbased authentication 
enabled. Based upon these findings, the cPanel security team believes that the 
attacker has gained access to a database of root login credentials for a large 
group of Linux servers. Once an attacker manually gains access to a system they 
can then perform various tasks. The hacker can download, compile, and execute a 
log cleaning script in order to hide their tracks. They also can download a 
customized root-kit based off of Boxer version 0.99 beta 3. Finally, the 
attacker searches for files containing credit card related phrases such as cvc, 
cvv, and authorize.

The actual root-kit has been the subject of much speculation. The cPanel 
security team asserts that the Boxer variant includes a small web-server which 
is how the Javascript is distributed to unsuspecting users of any website on 
the server. It is believed that the Javascript include is injected into the 
HTML code after Apache? has served the file but before it has traveled through 
the TCP transport back to the user of the website. The web-server is not loaded 
onto the hard drive directly but loaded directly into memory from the infected 
Boxer binaries. More information about the infected binaries can be found at: 
http://www.cpanel.net/security/notes/random_js_toolkit.html.
The JavaScript being loaded by this web-server is directing users to another 
server that scans the website user for a number of known vulnerabilities. These 
vulnerabilities are then used to add the website user to a bot net. More 
information about the JavaScript hacks can be found at:
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3.
Cleaning the Random JavaScript Toolkit requires the server to be booted into 
single user mode and the removal of all infected binaries. More details on how 
to do this can be found at: 
http://www.cpanel.net/security/notes/random_js_toolkit.html. The cPanel 
security team believes that the hacker has access to the database of login 
credentials, the only way to prevent being hacked again is changing the 
password and not releasing it to
anyone. The preferred method however is to move to SSH Keys and remove password 
authentication altogether.

This compromise has been in the media lately and discussions can be found at 
the following locations:
http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html
http://it.slashdot.org/it/08/01/25/148244.shtml



 




Copyright © Lexa Software, 1996-2009.