Hi Blues,
Last week, my colleague and I did a lab experiment
8 alphanumeric password with a symbol character.
breaks within 2 days. (based on P4 machine)
Scarcely... very easy and effortlessly
Question is:
What the attacker want?
[IMHO]
Your server as a zombie.
and your customer identities. (to proxy their identities)
And coincidentally we see and increase in
Bruteforce + rootkit attacks in our own network,
[IMHO]
[1]
We have to set mandatory password policies in BQ
eg:
-each IP / username
can only have 3 tries every 1 min
-password rotation every 30 days
-cannot reused old password.
etc...
[2]
and turn on SELINUX - 'role based access' (rootkit will not run)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[Conclusion]
Else...
Unfortunately, we are currently vulnerable to such attack (social engineering attack).
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On Fri, 25 Jan 2008 14:11:19 -0500
"Darrell D. Mobley" <dmobley (at mark) uhostme.com> wrote:
> The following advisory was circulated to cPanel sys admins today. Could a
> similar vulnerability be introduced into BlueQuartz?
>
>
>
> ---
>
> cPanel announced today that it's security team has identified several key
> components of a hack known as the Random JavaScript Toolkit. The systems
> affected by this hack appear to be LinuxR based and are running a number of
> different hosting platforms. While this compromise is not believed to be
> specific to systems running cPanelR software, cPanel has worked with a
> number of hosting providers and server owners to investigate this
> compromise.
>
>
>
> The cPanel Security Team has recognized that the vast majority of affected
> systems are initially accessed using SSH with no indications of brute force
> or exploitation of the underlying service. Despite non-trivial passwords,
> intermediary users and nonstandard ports, the attacker is able to gain
> access to the affected servers with no password failures. The cPanel
> security team also recognized that a majority of the affected servers come
> from a single undisclosed data-center. All affected systems have
> passwordbased authentication enabled. Based upon these findings, the cPanel
> security team believes that the attacker has gained access to a database of
> root login credentials for a large group of Linux servers. Once an attacker
> manually gains access to a system they can then perform various tasks. The
> hacker can download, compile, and execute a log cleaning script in order to
> hide their tracks. They
>
> also can download a customized root-kit based off of Boxer version 0.99 beta
> 3. Finally, the attacker searches for files containing credit card related
> phrases such as cvc, cvv, and authorize.
>
>
>
> The actual root-kit has been the subject of much speculation. The cPanel
> security team asserts that the Boxer variant includes a small web-server
> which is how the Javascript is distributed to unsuspecting users of any
> website on the server. It is believed that the Javascript include is
> injected into the HTML code after ApacheR has served the file but before it
> has traveled through the TCP transport back to the user of the website. The
> web-server is not loaded onto the hard drive directly but loaded directly
> into memory from the infected Boxer binaries. More information about the
> infected binaries can be found at:
> http://www.cpanel.net/security/notes/random_js_toolkit.html.
>
>
>
> The JavaScript being loaded by this web-server is directing users to another
> server that scans the website user for a number of known vulnerabilities.
> These vulnerabilities are then used to add the website user to a bot net.
> More information about the JavaScript hacks can be found at:
> http://www.finjan.com/Pressrelease.aspx?id=1820
> <http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3>
> &PressLan=1819&lan=3.
>
>
>
> Cleaning the Random JavaScript Toolkit requires the server to be booted into
> single user mode and the removal of all infected binaries. More details on
> how to do this can be found at:
> http://www.cpanel.net/security/notes/random_js_toolkit.html.
>
>
>
> The cPanel security team believes that the hacker has access to the database
> of login credentials, the only way to prevent being hacked again is changing
> the password and not releasing it to anyone. The preferred method however is
> to move to SSH Keys and remove password authentication altogether.
>
>
>
--
Cheers,
patrick