| Lots of juicy, juicy in this one, but there's something about it that smells funny. A server compromise trend has been recently reported targeting multiple hosting platforms. RedHat Enterprise Linux & Centos 4/5 and Fedora Core 5/6 are the most common targets. This compromise is not believed to be specific to cPanel software. This issue has been seen on systems running a variety of control panels. There are still many unknown details regarding this exploit. It has been established that this compromise requires super user privileges. It is common to see a short but successful root login via ssh 5-10 minutes before the compromise occurs. The initial entry point is not confirmed at this time.
 So basically, the people too stupid to pick a decent root password are getting exploited... nothing much new here...  kind of hard to take over the Internet with unimportant machines no one puts much importance into and don't attract many pageviews. This isn't always the case in older variants of the rootkit. To be certain your server isn't compromised, it's best to sniff packets for a brief 3-5 minute period. You can do this using the command below: tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
 ...alternatively, you could simply find an exploitable bug in tcpdump or grep and encourage many thousands of people around the world to run those binaries for several minutes on their really important, high page-view sites while you madly scan thousands of prospective target webhosts with your other botnet of more easily exploited machines. Exploitable bugs in tcpdump you say?  No... that's never happened before. Rumors of another new worm surfacing. |