The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Random JS Toolkit

Discussion in 'General Discussion' started by E0x, Sep 17, 2008.

  1. E0x

    E0x Registered

    Joined:
    Sep 3, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    hello ,

    a few day ago i started get a alert lfd: System Exploit checking detected a possible compromise

    Possible detection of "Random JS Toolkit" due to modified files:

    /sbin/ifconfig: FAILED
    /sbin/fsck: FAILED
    /sbin/route: FAILED
    /bin/basename: FAILED
    /bin/cat: FAILED
    /bin/mount: FAILED
    /bin/touch: FAILED

    --------------------------------

    i google and i find how check if i really get infect
    checking if that binary was rename with another name like
    /sbin/routewWmVTnBL6szkobbNZ9Iz

    doing the mkdir test :

    mkdir 1

    and the network sniffing in the server using :
    tcpdump -nAs 2048 src port 80 | grep “[a-zA-Z]\{5\}\.js’”

    and dont find anything so i think the alert is a false positive , how i can check that alert how checked and stop the false positive alert

    Thanks
     
  2. kemis

    kemis Well-Known Member

    Joined:
    Feb 17, 2005
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Georgetown, TX
    I got this alert this morning, too. It happened right after an automatic yum upgrade (upcp). My server is now at CentOS 4.7. It must be a false positive.

    Nonetheless, this is my wakeup call to finally figure out how to get off password based SSH authentication.

    Check out this similar post:
    http://forums.cpanel.net/showthread.php?t=92909&highlight=JS+Toolkit

    Good luck,
    Matt
     
Loading...

Share This Page