Malecious Random JavaScript Rootkit
(Adapted from http://www.cpanel.net/security/notes/random_js_toolkit.html )
BugTargeted Systems
A Linux server virus has recently been reported targeting multiple platforms such as: RedHat Enterprise, Centos v4.x/v5.x, and Fedora Core v5/v6. This Rootkit is not believed to be specific to any one control panel and/or Php application(s). Unfortunately, there are still many unknown details. We are actively researching the entry point to this exploit to pinpoint the methods used to gain access in order to stop this Rootkit from infecting servers in the future. It's a very time and energy consuming process as the primary Rootkit is designed to be hidden within the system which proves to be challenging even to Level I engineers.
Affected Binary Packages
It has been established that this Rootkit requires super user privileges. The initial entry point has not been confirmed yet. When a hacker gains shell access, the Rootkit is installed. Frequently-compromised binaries include:
/sbin/ifconfig
/sbin/fsck
/sbin/route
/bin/basename
/bin/cat
/bin/mount
/bin/touch
The Rootkit renames these system binary packages by adding a random set of characters at the end of the file name. Additionally, a 0 byte file with a different set of random characters is created based upon the target binary package's name.
For example:
/sbin/routewWmVTnBL6szkobbNZ9Iz
/sbin/routeGnAxnt168fMJAxHiru22
These files are hidden on the live filesystem of an affected system. In order to view these files, the system must be rebooted to a safe environment such as a system rescue CD.
How a Rootkit works
1. Once the Rootkit is successfully installed, the server will sit idle until rebooted. During a server reboot, the system initialization scripts will call the infected binaries.
2. When executed, the infected binary packages use /dev/mem as a pathway to the Kernel , and then attach to several system calls within the running Kernel. This results in hidden files, broken binary packages, and random JavaScript code being seen by web visitors.
3. When the system is fully online in an infected state, the Kernel will begin serving a JavaScript payload to random web requests/visits. This occurs outside of Apache and will not be seen in any of the Apache logs. The JavaScript injection will look like:
The JavaScript file is dynamically created and will have a random five character filename. This JavaScript will begin exploiting several known vulnerabilities within Windows, QuickTime and Yahoo Messenger on the web visitor's PC. Keep in mind that the JavaScript is not served on every request. It is injected into a small percentage of requests at random.
How do I know my server has been infected with this JS Rootkit ?
If you feel your server is being compromised, you can run the tests below to confirm.
The easiest test is to attempt to create a directory with a numerical name such as:
mkdir 123test
If your system returns the following error:
[root\@server ~]# mkdir 1
mkdir: cannot create directory `1': No such file or directory
Your system has been compromised.
This is not always true in older variants of a Rootkit . To make sure that your server is not compromised, run the following command for 3-5 minutes in order to sniff packets:
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
If your server is infected, the system will return the following result:
root@server log]# tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
1311 packets captured
2627 packets received by filter
0 packets dropped by kernel
Additional detection methods require an in-depth knowledge of Kernel debugging.
Solution
It is possible to remove this Rootkit by booting the server into a safe environment and moving the previous binary back in place. In this case, /sbin/routewWmVTnBL6szkobbNZ9Iz is the original binary. You can confirm this by looking at the size of the file. One will be 0 bytes and the other will be relatively significant in size. We suggest copying these binaries from a trusted and clean server.
Keep in mind that this is a root compromise. Until the point of entry is determined and closed, the server can continue to be compromised without proper security practices in place. We highly recommended that you do the following:
1. Contact your datacenter, NOC, or a qualified administrator to have the system fully checked and recovered.
2. Secure and harden your server.
3. Change any root passwords that have been previously used.
4. DO NOT give shell or jailshell access to ANYONE.
5. Update your server’s applications and services to the latest release, especially security patches and monitor the server closely for any unsuspected activity.
June 26th, 2008: Read the Latest findings about the Random JavaScript Rootkit
Click here if you wish to protect your server against IFrame JS code with "ServerTune IFrame Shield"
More information about Kernel Rootkits (To view this page, your browser must support in-line frames.)
Reference: http://servertune.com/kbase/entry/258/
My Blog List
-
The repository ‘http://deb.debian.org/debian buster-backports Release’ no longer has a Release file. - [image: See all Debian/Ubuntu Linux related FAQ] When you run the sudo apt update, you may see the following message or error on a Debian Linux: Err:5 http...4 days ago
-
A Closer Look at Remote Peering: Technologies and Techniques - In the realm of digital communication, the significance of efficient internet traffic exchange has escalated with the surge in global cloud content. With...2 weeks ago
-
PaloAlto init-cfg.txt Bootstrap Config file Layout with Examples - When you install and configure the PaloAlto firewall, when the firewall boots up for the first time, it does the bootstrapping process. PaloAlto uses the s...1 year ago
-
Clusterssh – Administer multiple ssh or rsh shells simultaneously - Sponsored Link The command opens an administration console and an xterm to all specified hosts. Any text typed into the administration console is replicate...3 years ago
-
Web Application Vulnerability Scanning Tools - Web Application Vulnerability Scanning Tools Nessus http://www.tenable.com/products/nessus PortSwigger https://portswigger.net/ qualys https://www.qualys....5 years ago
-
What You Don’t Know About Linux Open Source Could Be Costing to More Than You Think - Guest post by Marc Fisher If you would like to test out Linux before completely switching it as your everyday driver, there are a number of means by which ...5 years ago
-
Resolving Sysprep problems with App-X packages (Part 1) - This is the first of two articles explaining how to fix systems that won't Sysprep if Windows Native/App-X applications have been removed and Windows patches.6 years ago
-
V2V Communications security considerations - The future of vehicles, road infrastructure and driving are changing. We are progressing with vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) ...6 years ago
-
10 UNIX / Linuz Size Command Examples for ObjectFiles - Linux size is part of GNU binutils. This utility is very helpful for programmers to analyze the data from the executable files (or object files). By defaul...9 years ago
-
Updating VMware Tools on Red Hat Enterprise/Scientific/CentOS Linux 6 for VMware ESXi 5 - In a previous post I discussed installing the open source VMware tools for Red Hat Enterprise/Scientific/CentOS Linux 6 from a yum package repository provi...12 years ago
