Attackers scan the Internet for CWP installations and install a backdoor and rootkit on the attacked server with the help of the old vulnerability.

Control Web Panel (formerly known as CentOS Web Panel) is a software used by web hosting companies and large enterprises to host and manage large server infrastructure.

Since at least February of this year, the cybercriminal group has been scanning the Internet for CWP installations and using an exploit for an old vulnerability to gain access to the administration panel and install a backdoor named Facefish. Its primary goal is to gather device information, execute arbitrary commands, and steal SSH credentials from the infected host.

The attacks, spotted by both Juniper and Qihoo 360’s Netlab, have also involved a rare rootkit component that the attacker dropped on hacked Linux servers in order to maintain persistence.

Source: securitylab.ru