Cpanel - Javascript injectioned root compromise with no integer filenames

There's been some recent hype about the recent root compromises that are plaguing https://domain.com:2087 or http://domain.com:2086 * cpanel https://domain.com:2083 or http://domain.com:2082 * command line: Use ssh. ">cPanel and other Linux machines.

https://domain.com:2087 or http://domain.com:2086 * cpanel https://domain.com:2083 or http://domain.com:2082 * command line: Use ssh. ">cPanel has a press release detailing the issue here:

http://blog.cpanel.net/?p=31
http://www.cpanel.net/security/notes/random_js_toolkit.html

However, we may get tickets on this issue about being compromised.

The https://domain.com:2087 or http://domain.com:2086 * cpanel https://domain.com:2083 or http://domain.com:2082 * command line: Use ssh. ">cPanel release has the following:

This isn't always the case in older variants of the rootkit. To be certain your server isn't compromised, it's best to sniff packets for a brief 3-5 minute period. You can do this using the command below:

tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"

If this reports packets being sent that match the regex above, then the server is most likely compromised. Additional detection methods require an in-depth knowledge of kernel debugging.

The problem is, the above command can be misleading. When run on a machine that has not been compromised, you see this:

[root@tunguyen ~]# tcpdump -i eth0 -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 2048 bytes
2 packets captured
4 packets received by filter
0 packets dropped by kernel

Customers might go a little ballistic at seeing "4 packets received by filter" or anything else regarding this message. There's no exploit here, this is normal output for tcpdump.

tpcdump sends text on two outputs, stdout and stderr. stdout is what grep is reading, stderr bypasses grep and displays directly to the terminal screen. Should grep have a match, it would display that line of tcpdump, which would look like this:

02:33:13.956987 IP 67.19.254.139.http > 67.86.125.147.launchbird-lm: . ack 706 win 57
E.hytxv.js.@..+C...CV}..P..rS.$. } P..9....

At that point the customer can start backing up his data and getting ready for an OS reload. Just be aware that grep needs to return a matching string, not tcpdump telling you that it has captured X number of packets.