[Owasp-washington] for comment -- random js rootkit
Doug Wilson
dougwilson.lists at gmail.com
Fri Jan 25 17:54:53 EST 2008
I saw the bit about injection previously as well -- I thought that was a
theoretical, rather than something that was in wide distribution. This
(for the people who aren't inclined to read the links) is basically a
rootkit that sits hidden on the server, and then directly injects stuff
into the responses from the server, and does it by hooking before the
content leaves the server -- so, to the untrained eye, the content on
the server has been compromised, but if you look at the source files,
they are clean . . . and EVERY instance of the injected javascript is
randomized, so there's really no way any signature based stuff can pick
it up (unless you just block .js across the board . . .).
The cpanel.net link gives some specific details about the pieces of the
rootkit they have found so far, and some of the code they believe it may
be derived from.
Love to hear more if anyone has info.
Doug
Andre Ludwig wrote:
>
> I have seen and heard all sorts of discussions and debates on this
> topic. I dont think anyone has conclusive evidence of how these
> machines are getting owned, and what if any root kits are being
> installed. I have seen attacks that include arp poisoning on shared
> hosting switches to inject iframes in http traffic (even funner to
> track down then getting your server p0wn3d), i will see if i can dig
> up any links on that attack.
>
> Andre
>
> Doug Wilson wrote:
>> Has anyone on the list dealt at all or seen anything about the
>> "random JS rootkit" that is plaguing a variety of hosting providers?
>>
>> This is something that jumps up a level to the hosting environment,
>> more than web application security per se, but it underlies the
>> inability of securing things in a vacuum, and shows that even if you
>> have secured your application (or even have a web app that is not
>> even worth securing, no forms, et al), how an attack on another level
>> of your system can completely compromise what should be trusted content.
>>
>> My apologies if this is old news -- if not, I'd definitely be
>> interested to hear people's thoughts on the matter.
>>
>> some links:
>>
>> http://isc.sans.org/diary.html?storyid=3864
>> http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
>> http://www.cpanel.net/security/notes/random_js_toolkit.html
>> http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html
>>
>>
>>
>> TIA,
>>
>> Doug
>>
>>
>> _______________________________________________
>> Owasp-washington mailing list
>> Owasp-washington at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-washington
>>
>>
>>
>
>
More information about the Owasp-washington
mailing list