Hi Darrell,
> The cPanel security team believes that the hacker has access to the
> database of login credentials, the only way to prevent being hacked again
> is changing the password and not releasing it to anyone. The preferred
> method however is to move to SSH Keys and remove password authentication
> altogether.
The servers that are spreading the vulnerabilites got hacked because the
attacker(s) had the SSH 'root' login details for those boxes to begin with.
Where they got them from is currently under speculation.
If someone got 'root' access to a BlueQuartz box, he certainly could install
such a rootkit as well. But that doesn't make CentOS + BlueQuartz more
vulnerable or less vulnerable than any other Linux hosting plattform.
After all: Once someone ill-spirited has 'root' access to a server all bets
are off anyway.
"The Register" also has a story on this recent outbreak:
http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
This rootkit is (from a purely technical point of view) quite interesting. It
has been a while that something so sophisticated has been on a rampage,
although similar technical approaches have already been used a few years ago.
To a certain degree monolithical kernels or usage of LCAP can apparently
prevent the worst from happening, but the rather general advice that's quoted
above is the best practice anyway: Disable SSH if you don't need it. Or
restrict access to it with a firewall to allow only access from certain
trusted IPs. Or switch SSH to key based authentication. And of course: If you
use password based authentication for SSH, safeguard your password, use a
strong one, change it periodically and certainly don't share it.
--
With best regards,
Michael Stauber