This is a security advisary. Be warned ladies and gentlemen that this hacker has already defaced over 8,000 websites in a matter of days and he is making his rounds. Sould you be so unfortunate to have your box targetted, a mass defacement of all websites on your server will occur.

Current indications reveal that he is targetting cPanel servers as well as Directamin servers running CentOS and RHEL, but there could be other distro's involved. It is also believed that this is being done via the system kernel v 2.6.

If you have not done so, ensure that you /tmp and /dev/shm partitions are mounted nosuid,noexec to reduce the likelyhood that this script can be executed. Note, once the hacker accesses your server he creates a useraccount on your server called rOOt and creates a password for it. Search your /etc/passwd file to ensure that rOOt doesnt already exist.

There are no indications that there is an available patch at this time. Your best course of action is to make sure that each and every website is backed up on a nightly basis until a patch or fix is released by RH. You are advised to view every site on your server to ensure that he has not already attempted to deface a website on your server.

If you are experienced in compiling your own kernel source, now would be a good time to do so. Recompiling the kernel source from the latest distro seems to do that trick so if you are master in the art of recompiling your own kernel source, this is your best protection at this time.

Do not ignore this warning!!!

You may view his doings here. Click on a few websites to reveal the defaced websites.

http://www.zone-h.com/component/option,com_attacks/Itemid,43/filter_defacer,JaMaYcKa/

At this time it seems FreeBSD servers, the BSD kernel is not affected by this exploit but thats only a preliminary guess as there is no evidenance to support that any FreeBSD boxes have been rooted.

Thank you.

Update, ensure that your kernel is up-to-date and using at least

date 2007-01-29 -> kernel 2.6.9 023stab040.1

Thanks

I got hit by this one yesterday - will be having words with the 'security' team I hired to secure the server down!

How does he get in - does anyone know?

As I said, i believe its via your kernel. Ensure that your box is running the version above but we dont know if thats enough to keep him out. At least its a good try. View your kernel using the command;

uname -a

Yes, your website is listed on the list

Thats strange as the kernal was upgraded via YUM not so long back :s

How exactly is he getting root access? Does anyone know?

I don't see anywhere on the net the method he is using. If it's a zero day exploit, it appears he's been hacking for awhile, so I'm not sure if that is it.

It is unsure how his doing at this time. The most important thing is too make sure all your kernels are up-to-date and to be doing site backups incase you need to restore them. There are rumors that even the latest kernel, grsecurity is also being bypassed and servers are being hacked even with that kernel.

Right now I haven't found any proof of it being a kernel exploit, and sounds like outdated kernels. Centos/RHEL do backport security patches. Unless there is a brand new exploit that's not in the RHEL kernel, I'm not so sure that this is the case.

Oh also the hacker has defaced FreeBSD servers, not sure about rooted them.

I havent seen any FreeBSD boxes or been informed that any have been rooted or defaced from the exploit. Care to send me some information on this please?

I was also hacked by this user on one of my cPanel boxes, however none of my DA boxes have been touched. Make sure you upgrade too the latest version, which I have just done.

Heh, very little thead here :) http://webhostingtalk.com/showthread.php?t=585083

I havent seen any FreeBSD boxes or been informed that any have been rooted or defaced from the exploit. Care to send me some information on this please?

Sorry, recent attacks by him, no.

http://www.zone-h.org/component/option,com_attacks/Itemid,44/filter_defacer,JaMaYcKa/

It appears that I haven't been hit yet on my CentOS 4.4 server. I checked my Kernel version via the command "uname -a" and it says the version is 2.6.9-42.0.8.ELsmp #1 SMP Tue Jan 30 12:33:47 EST 2007 i686 i686 i386 GNU/Linux. Am I possibly ok from getting hit by this attack?

It appears that I haven't been hit yet on my CentOS 4.4 server. I checked my Kernel version via the command "uname -a" and it says the version is 2.6.9-42.0.8.ELsmp #1 SMP Tue Jan 30 12:33:47 EST 2007 i686 i686 i386 GNU/Linux. Am I possibly ok from getting hit by this attack?

That is the latest kernel. Are you safe? That may be a different story. According to some they believe there is an unpublished exploit to the kernel. I have yet to see anything confirmed though. If he is using an unpublished exploit I find it slightly odd how long he's been hacking sites (over 1 month) and yet a patch hasn't been released from either RH or CentOS about this. By now you would expect someone to say the latest version of the RH/CentOS kernel is insecure with proof/reporting to the software vendor. I see nothing discussing this. RH/CentOS back port security patches.

Don't forget it doesn't HAVE to be a kernel exploit. For example, it can be done with insecure software that use SUID to get root access. So I recommend ALL installed software is current, not just the kernel.

What we're suggesting is the default distro kernels, latest releases, are not secure from this exploit. Simply having the latest release is not enough. Of course this is speculation at this point and I can't confirm or deny it but I'd be interested in speaking with anyone who has recently been affected by these attacks.

What we're suggesting is the default distro kernels, latest releases, are not secure from this exploit. Simply having the latest release is not enough. Of course this is speculation at this point and I can't confirm or deny it but I'd be interested in speaking with anyone who has recently been affected by these attacks.

Well you can ask the two people who have already been hit and reported it here in the thread.

Were any of you affected running installatron?

Yep I had installatron on the box

Yep I had installatron on the box

I was also using installatron when I was hacked by him.

Re: Installatron

None of the the domains, or their IPs, mentioned/linked in this thread or the webhosting thread thus far have Installatron licenses (and we don't have any .gov. hostnames licensed, and wouldn't really expect to).

This is by no means conclusive, of course, and I couldn't rule anything out until the cause is named, but the patterns don't suggest an Installatron problem to me.

We'll keep an eye on things (and you can disable Installatron for now if you want to rule it out).

Rowan @ Installatron

Re: Installatron

None of the the domains, or their IPs, mentioned/linked in this thread or the webhosting thread thus far have Installatron licenses (and we don't have any .gov. hostnames licensed, and wouldn't really expect to).

This is by no means conclusive, of course, and I couldn't rule anything out until the cause is named, but the patterns don't suggest an Installatron problem to me.

We'll keep an eye on things (and you can disable Installatron for now if you want to rule it out).

Rowan @ Installatron

Hmm, but doesn't installatron use suid? Isn't anything that uses suid a risk?

I doubt its installatron. Maybe an application that is installed via it is the reason why, but anyone could upload a 3rd party application and get owned if the security is not there. I cant see what Iinstallatron has to do with anything.

I doubt its installatron. Maybe an application that is installed via it is the reason why, but anyone could upload a 3rd party application and get owned if the security is not there. I cant see what Iinstallatron has to do with anything.

You do have a point there, but how would the hacker go from a user to root without something actually connected to root?

I cant see how the installatron application is giving anymore root. And now im thinking its not a kernel issue either and heres why. There are reports on WHT, Steve who claims he has seen a few FreeBSD boxes affected. If that is true then its not the kernel because the kernels on RH and BSD are very different. If what his saying is true and FreeBSD boxes are also getting owned then its something else and not the kernel. Possibly a popular applications thats installed server wide on all server eg Imagemagic for one. Thats just an example though.

Anyone can get owned though an insecure application in a users webspace. This is not something new. That is why its recommended that you have mod_security installed with strict rules in place. Its not Installatron. We only run FreeBSD boxes with Installatron installed.

I didn't say it was Installatron, I was simply asking if those affected were running this tool. I noticed it uses a suid bit on the orbit file which seemed a bit of a security risk. As you know, suid scripts have a wonderful history of being insecure, having a third party addon have a suid root script worries me is all I'm saying.

I cant see how the installatron application is giving anymore root. And now im thinking its not a kernel issue either and heres why. There are reports on WHT, Steve who claims he has seen a few FreeBSD boxes affected. If that is true then its not the kernel because the kernels on RH and BSD are very different. If what his saying is true and FreeBSD boxes are also getting owned then its something else and not the kernel. Possibly a popular applications thats installed server wide on all server eg Imagemagic for one. Thats just an example though.

Anyone can get owned though an insecure application in a users webspace. This is not something new. That is why its recommended that you have mod_security installed with strict rules in place. Its not Installatron. We only run FreeBSD boxes with Installatron installed.

The only quote I have seen from steve is when he said he has not seen any freebsd boxes affected yet.

Which is a good thing however if you read earlier in the thread you will see that he states he saw Freebsd boxes owned as well. I dont think anyone knows really since there are far fewer BSD boxes online compared to RH.

nope he didnt I read the whole thread and at the end he even corrects the guy who misquoted him.