February 04th, 2008

The cPanel Security team announced todayr that they have identified several key components of a hack known as the Random JavaScript Rootkit . The systems affected by this Rootkit are Linux based running a number of different hosting platforms. The cPanel has worked with a number of hosting providers and server owners to  investigate this Rootkit .

The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed vai shell (SSH) with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The cPanel security team also recognized that the vast majority of affected servers come from a single undisclosed data-center. All affected systems have password based authentication enabled. Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers. Once the hacker, manually, gains access to a system they can then perform various tasks. The hacker can download , compile, and execute a log cleaning script in order to hide their tracks. They also can download a customized Rootkit based off of Boxer version 0.99 beta 3. Finally, the hacker searches for files containing credit card related phrases such as CVC, CVV, and/or Authorize.

The cPanel Security team believes that the Javascript include is injected into the HTML code after Apache has served the file(s), but before it has traveled through the TCP transport back to the user of the Web site. The web server is not loaded onto the hard drive directly, but loaded directly into memory from the infected Rootkit "Boxer" binary package(ies). Click here for more information about the infected binary packages.

The JavaScript being loaded by the infected Web server redirects users to another server that scans the Web site user for a number of known vulnerabilities. These vulnerabilities are then used to add the Web site user to a Bot net. Click here for more information about the JavaScript hacks can be found at: http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan =3.

Click here and follow the instruction on HowTo to clean and disinfect your server from the Random JavaScript Rootkit .

The cPanel security team believes that the hacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to use SSH Keys and remove password uthentication.

The PC World Magazine has published an article about this Random JS Rootkit at: http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html