I have to agree on the selinux and three tries in one minute (the one minute
could actually be reduced to 30 seconds) would be of great help in keeping
these crackers out of our systems.
Doug
-----Original Message-----
From: patricko [mailto:patricko (at mark) staff.singnet.com.sg]
Sent: Saturday, January 26, 2008 9:25 PM
To: coba-e (at mark) bluequartz.org
Cc: dmobley (at mark) uhostme.com
Subject: [coba-e:11801] Re: Cpanel reporting Javascript vulnerability...
Hi Blues,
Last week, my colleague and I did a lab experiment
8 alphanumeric password with a symbol character.
breaks within 2 days. (based on P4 machine)
Scarcely... very easy and effortlessly
Question is:
What the attacker want?
[IMHO]
Your server as a zombie.
and your customer identities. (to proxy their identities)
And coincidentally we see and increase in
Bruteforce + rootkit attacks in our own network,
[IMHO]
[1]
We have to set mandatory password policies in BQ
eg:
-each IP / username
can only have 3 tries every 1 min
-password rotation every 30 days
-cannot reused old password.
etc...
[2]
and turn on SELINUX - 'role based access' (rootkit will not run)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[Conclusion]
Else...
Unfortunately, we are currently vulnerable to such attack (social
engineering attack).
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On Fri, 25 Jan 2008 14:11:19 -0500
"Darrell D. Mobley" <dmobley (at mark) uhostme.com> wrote:
> The following advisory was circulated to cPanel sys admins today. Could a
> similar vulnerability be introduced into BlueQuartz?
>
>
>
> ---
>
> cPanel announced today that it's security team has identified several key
> components of a hack known as the Random JavaScript Toolkit. The systems
> affected by this hack appear to be LinuxR based and are running a number
of
> different hosting platforms. While this compromise is not believed to be
> specific to systems running cPanelR software, cPanel has worked with a
> number of hosting providers and server owners to investigate this
> compromise.
>
>
>
> The cPanel Security Team has recognized that the vast majority of affected
> systems are initially accessed using SSH with no indications of brute
force
> or exploitation of the underlying service. Despite non-trivial passwords,
> intermediary users and nonstandard ports, the attacker is able to gain
> access to the affected servers with no password failures. The cPanel
> security team also recognized that a majority of the affected servers come
> from a single undisclosed data-center. All affected systems have
> passwordbased authentication enabled. Based upon these findings, the
cPanel
> security team believes that the attacker has gained access to a database
of
> root login credentials for a large group of Linux servers. Once an
attacker
> manually gains access to a system they can then perform various tasks. The
> hacker can download, compile, and execute a log cleaning script in order
to
> hide their tracks. They
>
> also can download a customized root-kit based off of Boxer version 0.99
beta
> 3. Finally, the attacker searches for files containing credit card related
> phrases such as cvc, cvv, and authorize.
>
>
>
> The actual root-kit has been the subject of much speculation. The cPanel
> security team asserts that the Boxer variant includes a small web-server
> which is how the Javascript is distributed to unsuspecting users of any
> website on the server. It is believed that the Javascript include is
> injected into the HTML code after ApacheR has served the file but before
it
> has traveled through the TCP transport back to the user of the website.
The
> web-server is not loaded onto the hard drive directly but loaded directly
> into memory from the infected Boxer binaries. More information about the
> infected binaries can be found at:
> http://www.cpanel.net/security/notes/random_js_toolkit.html.
>
>
>
> The JavaScript being loaded by this web-server is directing users to
another
> server that scans the website user for a number of known vulnerabilities.
> These vulnerabilities are then used to add the website user to a bot net.
> More information about the JavaScript hacks can be found at:
> http://www.finjan.com/Pressrelease.aspx?id=1820
> <http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3>
> &PressLan=1819&lan=3.
>
>
>
> Cleaning the Random JavaScript Toolkit requires the server to be booted
into
> single user mode and the removal of all infected binaries. More details on
> how to do this can be found at:
> http://www.cpanel.net/security/notes/random_js_toolkit.html.
>
>
>
> The cPanel security team believes that the hacker has access to the
database
> of login credentials, the only way to prevent being hacked again is
changing
> the password and not releasing it to anyone. The preferred method however
is
> to move to SSH Keys and remove password authentication altogether.
>
>
>
--
Cheers,
patrick