This is a security advisary. Be warned ladies and gentlemen that this hacker has already defaced over 8,000 websites in a matter of days and he is making his rounds. Sould you be so unfortunate to have your box targetted, a mass defacement of all websites on your server will occur.
Current indications reveal that he is targetting cPanel servers as well as Directamin servers running CentOS and RHEL, but there could be other distro's involved. It is also believed that this is being done via the system kernel v 2.6.
If you have not done so, ensure that you /tmp and /dev/shm partitions are mounted nosuid,noexec to reduce the likelyhood that this script can be executed. Note, once the hacker accesses your server he creates a useraccount on your server called rOOt and creates a password for it. Search your /etc/passwd file to ensure that rOOt doesnt already exist.
There are no indications that there is an available patch at this time. Your best course of action is to make sure that each and every website is backed up on a nightly basis until a patch or fix is released by RH. You are advised to view every site on your server to ensure that he has not already attempted to deface a website on your server.
If you are experienced in compiling your own kernel source, now would be a good time to do so. Recompiling the kernel source from the latest distro seems to do that trick so if you are master in the art of recompiling your own kernel source, this is your best protection at this time.
Do not ignore this warning!!!
You may view his doings here. Click on a few websites to reveal the defaced websites.
http://www.zone-h.com/component/option,com_attacks/Itemid,43/filter_defacer,JaMaYcKa/
At this time it seems FreeBSD servers, the BSD kernel is not affected by this exploit but thats only a preliminary guess as there is no evidenance to support that any FreeBSD boxes have been rooted.
Thank you.
Current indications reveal that he is targetting cPanel servers as well as Directamin servers running CentOS and RHEL, but there could be other distro's involved. It is also believed that this is being done via the system kernel v 2.6.
If you have not done so, ensure that you /tmp and /dev/shm partitions are mounted nosuid,noexec to reduce the likelyhood that this script can be executed. Note, once the hacker accesses your server he creates a useraccount on your server called rOOt and creates a password for it. Search your /etc/passwd file to ensure that rOOt doesnt already exist.
There are no indications that there is an available patch at this time. Your best course of action is to make sure that each and every website is backed up on a nightly basis until a patch or fix is released by RH. You are advised to view every site on your server to ensure that he has not already attempted to deface a website on your server.
If you are experienced in compiling your own kernel source, now would be a good time to do so. Recompiling the kernel source from the latest distro seems to do that trick so if you are master in the art of recompiling your own kernel source, this is your best protection at this time.
Do not ignore this warning!!!
You may view his doings here. Click on a few websites to reveal the defaced websites.
http://www.zone-h.com/component/option,com_attacks/Itemid,43/filter_defacer,JaMaYcKa/
At this time it seems FreeBSD servers, the BSD kernel is not affected by this exploit but thats only a preliminary guess as there is no evidenance to support that any FreeBSD boxes have been rooted.
Thank you.
Last edited:
