We have had some luck Using salted passwords, And more than 10 characters.
Salting improves user memory,
And longer passwords stops (or delays) brute force.
Yesterday we were hit by a brute force attack,
And sendmail's AUTH Scheme got flaky. Had to restart sendmail several times,
Even after dbrecover.
Regards
Rodrigo O
Xnet
-----Original Message-----
From: patricko [mailto:patricko (at mark) staff.singnet.com.sg]
Sent: SáÃado, 26 de Enero de 2008 10:25 p.m.
To: coba-e (at mark) bluequartz.org
Cc: dmobley (at mark) uhostme.com
Subject: [coba-e:11801] Re: Cpanel reporting Javascript vulnerability...
Hi Blues,
Last week, my colleague and I did a lab experiment
8 alphanumeric password with a symbol character.
breaks within 2 days. (based on P4 machine)
Scarcely... very easy and effortlessly
Question is:
What the attacker want?
[IMHO]
Your server as a zombie.
and your customer identities. (to proxy their identities)
And coincidentally we see and increase in
Bruteforce + rootkit attacks in our own network,
[IMHO]
[1]
We have to set mandatory password policies in BQ
eg:
-each IP / username
can only have 3 tries every 1 min
-password rotation every 30 days
-cannot reused old password.
etc...
[2]
and turn on SELINUX - 'role based access' (rootkit will not run)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[Conclusion]
Else...
Unfortunately, we are currently vulnerable to such attack (social
engineering attack).
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On Fri, 25 Jan 2008 14:11:19 -0500
"Darrell D. Mobley" <dmobley (at mark) uhostme.com> wrote:
> The following advisory was circulated to cPanel sys admins today.
> Could a similar vulnerability be introduced into BlueQuartz?
>
>
>
> ---
>
> cPanel announced today that it's security team has identified several
> key components of a hack known as the Random JavaScript Toolkit. The
> systems affected by this hack appear to be LinuxR based and are
> running a number of different hosting platforms. While this compromise
> is not believed to be specific to systems running cPanelR software,
> cPanel has worked with a number of hosting providers and server owners
> to investigate this compromise.
>
>
>
> The cPanel Security Team has recognized that the vast majority of
> affected systems are initially accessed using SSH with no indications
> of brute force or exploitation of the underlying service. Despite
> non-trivial passwords, intermediary users and nonstandard ports, the
> attacker is able to gain access to the affected servers with no
> password failures. The cPanel security team also recognized that a
> majority of the affected servers come from a single undisclosed
> data-center. All affected systems have passwordbased authentication
> enabled. Based upon these findings, the cPanel security team believes
> that the attacker has gained access to a database of root login
> credentials for a large group of Linux servers. Once an attacker
> manually gains access to a system they can then perform various tasks.
> The hacker can download, compile, and execute a log cleaning script in
> order to hide their tracks. They
>
> also can download a customized root-kit based off of Boxer version
> 0.99 beta 3. Finally, the attacker searches for files containing
> credit card related phrases such as cvc, cvv, and authorize.
>
>
>
> The actual root-kit has been the subject of much speculation. The
> cPanel security team asserts that the Boxer variant includes a small
> web-server which is how the Javascript is distributed to unsuspecting
> users of any website on the server. It is believed that the Javascript
> include is injected into the HTML code after ApacheR has served the
> file but before it has traveled through the TCP transport back to the
> user of the website. The web-server is not loaded onto the hard drive
> directly but loaded directly into memory from the infected Boxer
> binaries. More information about the infected binaries can be found at:
> http://www.cpanel.net/security/notes/random_js_toolkit.html.
>
>
>
> The JavaScript being loaded by this web-server is directing users to
> another server that scans the website user for a number of known
vulnerabilities.
> These vulnerabilities are then used to add the website user to a bot net.
> More information about the JavaScript hacks can be found at:
> http://www.finjan.com/Pressrelease.aspx?id=1820
> <http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3>
> &PressLan=1819&lan=3.
>
>
>
> Cleaning the Random JavaScript Toolkit requires the server to be
> booted into single user mode and the removal of all infected binaries.
> More details on how to do this can be found at:
> http://www.cpanel.net/security/notes/random_js_toolkit.html.
>
>
>
> The cPanel security team believes that the hacker has access to the
> database of login credentials, the only way to prevent being hacked
> again is changing the password and not releasing it to anyone. The
> preferred method however is to move to SSH Keys and remove password
authentication altogether.
>
>
>
--
Cheers,
patrick