The Javascript exploit has been an old saga on a few Linux distros running cPanel and Plesk .
The compromise is at the root level and a rootkit has been installed. This rootkit will attach to several syscalls within the kernel and begin serving malicious javascript to random web visitors.
This root compromise is not related to cPanel directly, as it has been reported on many different control panels on many different servers. The compromise is at the system level, and only Redhat 4, CentOS 4, and FC6 appear to be vulnerable at this time. We are actively researching this issue and will have an in-depth analysis of current information posted soon.
http://forums.cpanel.net/showthread.php?t=74963&page=10&highlight=centos5
[root\@cpanel ~]# mkdir 1 mkdir: cannot create directory `1': No such file or directory [root\@cpanel ~]# touch 2 touch: cannot touch `2': No such file or directory
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
This command on a server infected by this specific rootkit will result in something similar to:
root@server log]# tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes <script language='JavaScript' type='text/javascript' src='ateyc.js'></script> <script language='JavaScript' type='text/javascript' src='taopp.js'></script> 1311 packets captured 2627 packets received by filter 0 packets dropped by kernel
Todd Shipway
cPanel Technical Support
tcpdump -nAs 2048 src port 80 | grep “[a-zA-Z]\{5\}\.js'” |
For older versions of tcpdump (Such as the ones provided with RHEL3/centOS3)
tcpdump -XX -ns 2048 src port 80 | grep “[a-zA-Z]\{5\}\.js'” |
The grsecurity fix people are mentioning does not remove this, it simply stops it from writing to /dev/mem (or /dev/kmem depending on what is available) however the second you boot out of this kernel you are likely to be vulnerable again.
The rootkit itself is rather simple in terms of how it actually functions, it uses common binaries as listed in the article (there’s another binary not listed from the older variants of this [that don’t prevent the numbers at the start of file names/directories]). Replacing those binaries in the manner suggested is not the safest option and there is not always a copy, you should replace these from the binaries from your distribution. In the particular case it’s actually rather easy to do , simply remove the attributes to the files, remove the files themselves(not needed, but do it anyway) and then reinstalled the RPM’s (As this is always on an RPM based distribution) there’s only 3 rpm’s that are needed to be reinstalled.
Lastly, if you are not comfortable working with the kernel/debuggers then HIRE A QUALIFIED ADMINISTRATOR there’s plenty of them out there