cPanel Security – Random JS Toolkit

A server compromise trend has been recently reported targeting multiple hosting platforms. RedHat Enterprise Linux & Centos 4/5 and Fedora Core 5/6 are the most common targets. This compromise is not believed to be specific to cPanel software. This issue has been seen on systems running a variety of control panels.


The vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The majority of the affect servers come from a single undisclosed data-center. All affected systems have password-based authentication enabled. Based upon these findings, it’s believed that the attacker has gained access to a database of root login credentials for a large group of Linux servers.

Once access is gained, the attacker downloads and compiles Stealth Zapper 1.0, which is used to clean all traces of the attackers access and movements through the system. The attacker then downloads a script used to gather information from Apache and compiles a list of statistics for each site hosted on the server. This information is then sent to an undisclosed location for the attacker to view. Once the information is sent successfully, the attacker downloads an agent binary built from the Boxer 0.99 BETA 3 root-kit. This binary is secured with encrypted keys to only allow access from the attackers Boxer installation. This agent binary is built with several additional scripts developed by the attacker to load a web server into memory and inject the random JavaScript into the HTML code after Apache has served the file, but before it has traveled through the TCP transport back to the web site visitor. The attacker will first run the agent binary to load it into memory. This activates the root-kit, which will then go on to copy itself to the seven binary locations below which will keep the agent running at all times, including after a reboot.

/sbin/ifconfig

/sbin/fsck

/sbin/route

/bin/basename

/bin/cat

/bin/mount

/bin/touch

The rootkit renames these system binaries by adding a random set of characters to the end of the file name. Additionally, a 0 byte file with a different set of random characters is created based upon the target binary’s name similar to the following:

/sbin/routewWmVTnBL6szkobbNZ9Iz

/sbin/routeGnAxnt168fMJAxHiru22

These files are hidden on the live filesystem of an affected system. In order to view these files, the system must be rebooted into a safe environment such as a system rescue CD.
The JavaScript being loaded by this web server is directing users to another server that scans the web site user for a number of known vulnerabilities. These vulnerabilities are then used to add the web site user to a bot net. More information about the JavaScript hacks can be found at: http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3.
If you feel your server is compromised, you can run the tests below to confirm.
The easiest test is to attempt to create a directory with a numerical name:

mkdir 1

If your server is compromised, this will result in the error below:

[root\@cpanel ~]# mkdir 1
mkdir: cannot create directory `1′: No such file or directory

This isn’t always the case in older variants of the rootkit. To be certain your server isn’t compromised, it’s best to sniff packets for a brief 3-5 minute period. You can do this using the command below:

tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js’"

If this reports packets being sent that match the regex above, then the server is most likely compromised. Additional detection methods require an in-depth knowledge of kernel debugging.
Cleaning the Random JavaScript Toolkit requires the server to be booted into a safe environment and the removal of all infected binaries. Since it is believed that the attacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether. It is recommended that you contact your data-center, NOC, or a qualified administrator to have the server properly cleaned , the OS reinstalled and secured.

More information on this issue as well as discussions can be found at the following URLs:


  1. http://forums.cpanel.net
  2. http://www.webhostingtalk.com/showthread.php?t=651748
  3. http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3

Posted by Web Monkey