rogerdavis
Verified User
- Joined
- Oct 9, 2004
- Messages
- 41
Hi I have not noticed anyone mentioning this problem on here but there is a major security problem on linux machines, Cpanel have mentioned it and on a vps that has had the host compamissed DA comes up with
"Either your request was invalid or the program hasn't completed your request.
Please notify the server admin"
when you try and delite any accounts, There is not a fix for it yet but the links are below and you can run tests to see if your machine is affected.
such as..........
If you feel your server is compromised, you can run the tests below to confirm.
The easiest test is to attempt to create a directory with a numerical name:
mkdir 1
If your server is compromised, this will result in the error below:
[root\@cpanel ~]# mkdir 1
mkdir: cannot create directory `1': No such file or directory
This isn't always the case in older variants of the rootkit. To be certain your server isn't compromised, it's best to sniff packets for a brief 3-5 minute period. You can do this using the command below:
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
If this reports packets being sent that match the regex above, then the server is most likely compromised. Additional detection methods require an in-depth knowledge of kernel debugging.
Cleaning the Random JavaScript Toolkit requires the server to be booted into a safe environment and the removal of all infected binaries. Since it is believed that the attacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether. It is recommended that you contact your data-center, NOC, or a qualified administrator to have the server properly cleaned and secure
Regards
http://www.cpanel.net/security/notes/random_js_toolkit.html
http://www.webhostingtalk.com/showthread.php?t=651748&page=8
"Either your request was invalid or the program hasn't completed your request.
Please notify the server admin"
when you try and delite any accounts, There is not a fix for it yet but the links are below and you can run tests to see if your machine is affected.
such as..........
If you feel your server is compromised, you can run the tests below to confirm.
The easiest test is to attempt to create a directory with a numerical name:
mkdir 1
If your server is compromised, this will result in the error below:
[root\@cpanel ~]# mkdir 1
mkdir: cannot create directory `1': No such file or directory
This isn't always the case in older variants of the rootkit. To be certain your server isn't compromised, it's best to sniff packets for a brief 3-5 minute period. You can do this using the command below:
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
If this reports packets being sent that match the regex above, then the server is most likely compromised. Additional detection methods require an in-depth knowledge of kernel debugging.
Cleaning the Random JavaScript Toolkit requires the server to be booted into a safe environment and the removal of all infected binaries. Since it is believed that the attacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether. It is recommended that you contact your data-center, NOC, or a qualified administrator to have the server properly cleaned and secure
Regards
http://www.cpanel.net/security/notes/random_js_toolkit.html
http://www.webhostingtalk.com/showthread.php?t=651748&page=8
