Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophisticated Apache Backdoor In the Wild

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."

108 comments

  1. doesn't look so scary by iggymanz · · Score: 5, Insightful

    Only cpanel apaches vulnerable and modified httpd easily found by grep'ing a string?

    *yawn*

    1. Re:doesn't look so scary by Eunuchswear · · Score: 5, Funny

      Yeah, and I'm sure you could fix it with an apropriate hosts file.

      --
      Watch this Heartland Institute video
    2. Re:doesn't look so scary by Anonymous Coward · · Score: 3, Interesting

      No, all apaches are vulnerable - if the binary is replaced in this way. cPanel doesn't use packaged binaries for apache, and therefore you can't spot if you've been hacked *by simple use of the package manager*.

    3. Re:doesn't look so scary by Anonymous Coward · · Score: 1

      Yeah, and I'm sure you could fix it with an apropriate hosts file.

      LAWLZLAWLZLAWLZ

    4. Re:doesn't look so scary by The+Mighty+Buzzard · · Score: 4, Insightful

      All everything is vulnerable if the binary is replaced. There's exactly jack and shit sophisticated about replacing binaries.

      --
      Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
    5. Re:doesn't look so scary by simplypeachy · · Score: 0

      Or a Privoxy rule: [Redacted] (Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition.)

      Doh. It's not like commenters on a nerd site want to post code-like text that may contain repetition.

    6. Re:doesn't look so scary by KiloByte · · Score: 4, Insightful

      It's a cpanel vulnerability, Apache is merely modified by the payload to help it spread. Seriously, giving a web server process root -- what the hell are those guys thinking?

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    7. Re:doesn't look so scary by Lumpy · · Score: 3, Insightful

      Bingo.

      That is why this thing is overhyped. Yes it's a problem but only on grossly msiconfigured servers. They might as well left the Root password as "password"

      --
      Do not look at laser with remaining good eye.
    8. Re:doesn't look so scary by Anonymous Coward · · Score: 4, Funny

      They might as well left the Root password as "password"

      You can change it ???

    9. Re:doesn't look so scary by Anonymous Coward · · Score: 0

      I foiled them! My root password is "root'!

    10. Re: doesn't look so scary by s.petry · · Score: 2

      According to the threads I read, all are vulnerable. Since the binary is not changed on disk, vidating checksums won't detect this. They really did not go into much detail in any of the reading I got following TFA three levels deep. No versions, no rigs, no mods, etc.. Did you read outside of TFA that it was CPA el only? Sittin in the dr office now, have to read more when back at the office.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    11. Re:doesn't look so scary by simplypeachy · · Score: 1

      Is redirection to ::1 all the rage for hosts files these days? I'm out of touch.

    12. Re:doesn't look so scary by quintus_horatius · · Score: 0

      Well, it was good enough for Microsoft...

    13. Re:doesn't look so scary by tibman · · Score: 1

      What distro ships apache as root? Haven't seen it in a looong time

      --
      http://soylentnews.org/~tibman
    14. Re:doesn't look so scary by Anonymous Coward · · Score: 2, Funny

      incorrect is much better choice, that way the system reminds you if you forget it

    15. Re:doesn't look so scary by Anonymous Coward · · Score: 5, Funny

      They might as well left the Root password as "password"

      You can change it ???

      Don't worry, I already did it for you!

    16. Re:doesn't look so scary by Anonymous Coward · · Score: 1

      That's inefficient password usage.

      My root password is "12345". That way both my web server and luggage are secured.

    17. Re:doesn't look so scary by IMightB · · Score: 2

      I worked at an ISP using cPanel for a couple hundred shared servers... Let me just say that cPanel is the biggest hunk of crap out there. It is poorly written with no attention paid to security. It is squarely aimed at end-users who have no clue about system administration and has a penchant for letting those same people shoot themselves in the foot as often as possible. cPanel, for instance, lets you format/partition hard drives via the gui without much in the way of instructions or warnings regarding the potential consequences of this action. We had many calls from people who claimed to have done nothing to their servers but turned out that they were trying to free up space and formatted /var or /. We often joked that we should cretaed a page in the GUI with a bug red button that says "Do NOT push" that would add an iptables rule to drop all connections from that IP and wait for the hilarity to commence.

    18. Re:doesn't look so scary by shaitand · · Score: 1

      I went with "god" it's always the best password!

    19. Re:doesn't look so scary by ebno-10db · · Score: 3, Funny

      They might as well left the Root password as "password"

      You can change it ???

      Yes, but it's a bad idea. Think of changed passwords as security through obscurity.

    20. Re:doesn't look so scary by fast+turtle · · Score: 1

      it's just to bad that it doesn't fire an actual bullet into their foot or at least zap em good when they screw up. Might help educate some of those damn PEBKAC issues

      --
      Mod me up/Mod me down: I wont frown as I've no crown
    21. Re:doesn't look so scary by bkcallahan · · Score: 1

      I use "Iforgot"

    22. Re:doesn't look so scary by Anonymous Coward · · Score: 0

      There's a spammer that posts a huge rant mentioning hosts files. The filter doesn't stop that, but it wouldn't let the GGP post a code snippet.. The downmod is from someone that doesn't get the irony.

  2. Does it hurt? by geek · · Score: 5, Funny

    Getting Cdorked in the backdoor sounds painful.

    1. Re:Does it hurt? by PacketScan · · Score: 2

      It hurts less with this.. http://www.rfxn.com/projects/linux-socket-monitor/

  3. Another Link by Anonymous Coward · · Score: 4, Informative

    Here's another link about this issue.

    Seems systems with cPanel installed are getting hit with this. Better get a hash of your current apache executable so you can easily check it down the road.

  4. Wow by Dr.+Evil · · Score: 4, Insightful

    "other than a modified 'httpd' file,"

    It's completely invisible, as long as you're blind.

    1. Re:Wow by Synerg1y · · Score: 4, Insightful

      when was the last time you checked your httpd file?

    2. Re:Wow by Poeli · · Score: 4, Informative

      rpm -V httpd ?

      Not that difficult to put in a cron job.

    3. Re:Wow by Anonymous Coward · · Score: 0

      Right. And I liked how they left out whatever it inserts (or deletes from) the httpd.conf file.

      Ah the Monday FUD.

    4. Re:Wow by Anonymous Coward · · Score: 0

      Every 15 minutes when my config management system checksums and reports the diff for it.

    5. Re:Wow by ArchieBunker · · Score: 3, Interesting

      Who even does that in the first place? OpenBSD gives you a daily email containing all changes to config files that have occurred.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    6. Re:Wow by lky · · Score: 5, Informative

      when was the last time you checked your httpd file?

      If you're using tripwire or another similar tool and its properly configured, then you should be notified of file changes.

      As long as you're paying attention, this doesn't seem like much of an issue.

    7. Re:Wow by Anonymous Coward · · Score: 0

      "other than a modified 'httpd' file,"

      It's completely invisible, as long as you're blind.

      The timestamp, permissions and owner are the same as the rest of the associated files (this infection isn't stupid). I'm sure you could use your x-ray vision to see that it's been replaced by a malicious copy. Please share your expertise with the rest of us.

    8. Re:Wow by Qzukk · · Score: 2

      And I liked how they left out whatever it inserts (or deletes from) the httpd.conf file

      On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one.

      So tell us what exactly it inserts (or deletes from) the httpd.conf file without modifying the Apache configuration?

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    9. Re:Wow by larry+bagina · · Score: 5, Informative

      httpd isn't a config file; it's the apache executable. Tripwire or other such utilities would catch it.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    10. Re:Wow by Anonymous Coward · · Score: 0

      rpm -V httpd ?

      Not that difficult to put in a cron job.

      Now that you know about it. Synerg1y has it right.

    11. Re:Wow by Anonymous Coward · · Score: 1

      The timestamp, permissions and owner are the same as the rest of the associated files (this infection isn't stupid). I'm sure you could use your x-ray vision to see that it's been replaced by a malicious copy. Please share your expertise with the rest of us.

      md5sum /usr/sbin/httpd

    12. Re:Wow by Americano · · Score: 2

      rpm -V also checks the MD5 sum of the file - if it's been modified, it should flag a difference in checksums, even if every other bit of metadata is the same.

      That said, it's quite easy to believe that lots of people aren't running "rpm -V httpd" regularly on their Linux servers, so all the people responding "DUH, NOOBZ" just sound like dicks. Next time, they should probably try showing off their deep knowledge of rpm by helpfully suggesting "rpm -V will find this, and you should be running this on all your systems regularly," rather than shitting up the comment thread with "I'm not vulnerable, anybody who is must be a fucking idiot."

    13. Re:Wow by Lumpy · · Score: 1

      Well for n00bs like you, yes. you will never see it.

      The rest of us get a tripwire alert that a watched binary was changed. You are using security software on your publicly accessed servers right?

      --
      Do not look at laser with remaining good eye.
    14. Re:Wow by Anonymous Coward · · Score: 0

      This morning. Although it was because a temporary glitch was best handled by a new mod_rewrite rule before software could be patched...

      Prior to that, last week...

      But I suspect I'm a bit more devops than a lot of /.

    15. Re:Wow by ShaunC · · Score: 5, Informative

      rpm -V httpd ?

      That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    16. Re:Wow by Anonymous Coward · · Score: 0

      Until tripwire or another similar tool gets replaced too.

    17. Re:Wow by h4rr4r · · Score: 5, Insightful

      The solution to this is be a big boy and don't use cPanel.

    18. Re:Wow by Anonymous Coward · · Score: 0

      Tripwire can hash binaries? md5 sums of hosted applications such as apache is pretty common.

    19. Re:Wow by Urban+Garlic · · Score: 1

      Any host-based intrusion detection system will have a hash of the executable, and will report when it changes. This is not some new cutting-edge security precaution, it's routine for many, many installations.

      --
      2*3*3*3*3*11*251
    20. Re:Wow by Anonymous Coward · · Score: 0

      debsums does the same for debian/ubuntu users by the way.

    21. Re:Wow by El_Muerte_TDS · · Score: 2

      when was the last time you checked your httpd file?

      This morning, debsum and rkhunter didn't report anything that requires attention.

    22. Re:Wow by jrumney · · Score: 1

      Mine is checked daily by debsums, along with all other binaries.

    23. Re:Wow by c0lo · · Score: 3, Informative

      rpm -V httpd ?

      Not that difficult to put in a cron job.

      Cited FA:

      In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.

      Yeah, you'd be vulnerable if your apache installation is done using cpanel (as many hosting providers are).

      --
      Questions raise, answers kill. Raise questions to stay alive.
  5. I thought with Apache I was impregnable. by Anonymous Coward · · Score: 0

    However I was wrong. This could be easily fixed with a slightly modified HOSTS file.

    1. Re:I thought with Apache I was impregnable. by Anonymous Coward · · Score: 0

      please, do elaborate

    2. Re:I thought with Apache I was impregnable. by Culture20 · · Score: 1

      Technically, this isn't apache. It's more like a pod-person version of apache (a modified binary replaces /usr/sbin/httpd or /usr/local/sbin/httpd outside of apache's control).

  6. I must be missing something.. by Anonymous Coward · · Score: 1

    How are they gaining access to the server to install their malicious software?

    1. Re:I must be missing something.. by KiloByte · · Score: 0

      cpanel

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  7. It's bad, but is this really a back-door? by dmomo · · Score: 4, Interesting

    This looks like a module for apache that, while sinister and clever, must be installed like any other module. Presumable, unless I'm missing something, this requires root access. If this so called "back door" (debatable) is on a system where it shouldn't be there is a bigger question on how was access to install it obtained it the first place.

    1. Re:It's bad, but is this really a back-door? by bvanheu · · Score: 1

      Did you RTFA? This is not an apache module.

    2. Re:It's bad, but is this really a back-door? by Nyder · · Score: 2

      This looks like a module for apache that, while sinister and clever, must be installed like any other module. Presumable, unless I'm missing something, this requires root access. If this so called "back door" (debatable) is on a system where it shouldn't be there is a bigger question on how was access to install it obtained it the first place.

      Yes, sort of confusing. What I gained from the various articles is that by visiting a malicious webpage on a compromised server, it will try to install the backdoor thru whatever methods it has. What they aren't that specific on is how they manage to replace the apache executable. But since it seems there isn't a standard way to tell if apache is infected, that is sort of stupid.

      But other then that, it sounds a bit clever.

      --
      Be seeing you...
    3. Re:It's bad, but is this really a back-door? by dmomo · · Score: 2

      I did. I probably over-read because I got caught up in 3 other articles about the subject. I'm sorry about the confusion. My main point stands. The real issue is that this requires an insecure system in the first place.

    4. Re:It's bad, but is this really a back-door? by Anonymous Coward · · Score: 0

      A shitty idiot tool called cpanel is insecure and a commercial company proved it to damage the reputation of Linux. COINTELPRO-style.

      Not a single capable expert Linux admin uses the cpanel shit.

    5. Re:It's bad, but is this really a back-door? by Anonymous Coward · · Score: 0

      It sounds like a FUD campaign by a commercial competitor of Linux. It's full of deceptive headlines and there is zero substance on how the infection works. So we have to infer that it is 100% propaganda.

    6. Re:It's bad, but is this really a back-door? by Anonymous Coward · · Score: 0

      Wrong.

      Just about every web hosting outfit has cpanel on their servers for the convenience of their less tech savvy customers.

  8. Does not leave traces on the hard-disk... by Anonymous Coward · · Score: 2, Insightful

    other than a modified 'httpd' file.

    That seems like a pretty significant trace. Check the MD5 yourself. You can check it with 'debsums', you don't even have to set it up unlike tripwire.

  9. Finally, a reason to compromise servers by mveloso · · Score: 1

    Back in the day, people broke into servers for fun.

    Now, people break into servers to serve advertising.

    Soon, people will break into servers to drop bitcoin miners on them.

    I guess now we know where the real money is: ad impressions. What Ad networks serve ads to the cracker community?

    1. Re:Finally, a reason to compromise servers by raju1kabir · · Score: 1

      Soon, people will break into servers to drop bitcoin miners on them.

      Already happening.

      --
      "Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
  10. Detection by Bert64 · · Score: 2

    Surely detection is pretty easy if the httpd binary has been modified, most distributions already have features to check the binaries on a system against known checksum lists from the packages they were installed from, so a modified httpd would stick out like a sore thumb.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  11. Re: Apache sucks by Anonymous Coward · · Score: 1

    This is the most ignorant statement I have ever seen on slashdot.

  12. Bad sysadmins by Anonymous Coward · · Score: 1

    Given that you didn't mention what tools you could use to compare the checksums to the package tells me that you, and most others aren't checking packages on a regular basis.

    1. Re:Bad sysadmins by Bert64 · · Score: 2

      Because they are distribution specific...

      rpm -v
      debsums
      equery check

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  13. Not really a backdoor in Apache by Anonymous Coward · · Score: 1

    We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.

    They didn't really find a backdoor in Apache, rather they found a modified httpd with some interesting new features installed on otherwise compromised servers. It's not an Apache problem. If you keep your servers secure in first place, you won't have this problem.

  14. Just of the top of my head... by DrYak · · Score: 3, Informative

    rkhunter and chkrootkit as a quick example.
    two tools which are more or less set and forget, and which also target workstation users.
    (Done in background periodically, no interaction required, except running a small command after an update to avoid triggering false positive in one case)

    Probably hundreds of sysadmin-oriented tools can do it too.

    (checking files for modification is a very sane step to protect against corruption and possible compromise)

    having the /usr mount read-only and only /var, /tmp & co read-write is a rather sane measure which is also wide spread (not only on big server farms, on the technical grounds that the /usr might be served over the network. but even some smart-phone do it, webOS for example)

    On the other hand, a trojan targeting Linux is a proof that Linux server *are* a very valuable infection target, and lower markter share at the desktop isn't the only valid argument explaining the scarcity of Linux viruses.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  15. Re:http://www.linuxadvocates.com/p/support.html by Anonymous Coward · · Score: 0

    I rather preferred the APK spam.

  16. chattr +i anyone? by MoFoQ · · Score: 1

    chattr +i anyone?

    just unchattr when you need to update httpd/apache

    more interesting is where the hole/holes are in cpanel

    1. Re:chattr +i anyone? by Anonymous Coward · · Score: 1

      Interestingly enough the modified httpd is apparently write protected the same way. At least according to a google translation of a new article referenced from the wikipedia article on cPanel. http://en.wikipedia.org/wiki/CPanel#cite_note-11

    2. Re:chattr +i anyone? by MoFoQ · · Score: 1

      interesting, the backdoor uses chattr

    3. Re:chattr +i anyone? by anyanka · · Score: 1

      Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.

    4. Re:chattr +i anyone? by xenobyte · · Score: 1

      Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.

      Exactly. Almost all rooted servers I've seen have the modified binaries (that hide things) made immutable. Insanely stupid. I don't know anyone that uses immutability for anything under normal circumstances so immutable files will stand out.

      A daily scan like this:

      find / -type f -exec lsattr -a {} \; | grep -- '----i'

      will find all immutable files on your system.

      Run it from a crontab and you'll get notified by mail. It produces no output when it doesn't find anything so you'll only get a mail when something is found.

      Of course a rootkit may also modify lsattr and chattr but I've never heard of that (yet).

      --
      "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
  17. Re:http://www.linuxadvocates.com/p/support.html by RabidReindeer · · Score: 2

    I rather preferred the APK spam.

    At least this is shorted and less offensive to the eye.

    Spam is spam, though.

  18. Re:I used to care about Apache by pmontra · · Score: 1

    Interesting, I didn't know about it. I think they made a mistake but it's a simple one to undo for server administrators as it's a configuration switch. Check at the end of this file. Furthermore it's up to the applications to honor the flag, the web server is just a middleman here, right?

  19. You are the noob by s.petry · · Score: 1

    Read TFA, it tells you that the checksum does not change, but you go ahead and think rpm -V will save you

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:You are the noob by Anonymous Coward · · Score: 0

      TFA actually says that "rpm -V" (or debsums or whatever) doesn't detect it because the vulnerable software is not installed through the package manager, and so is not present in the package database. It's still a modified executable, so tripwire or another host-based intrusion detection system will see it, if it's configured to monitor stuff in /usr/local.

    2. Re:You are the noob by Anonymous Coward · · Score: 0

      I read TFA..and the article they point to and then the article that *that* article points to and none of them say anything about the checksum....EXCEPT...

      http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/

      "We also recommend using debsums for Debian or Ubuntu systems and `rpm –verify` for RPM based systems, to verify the integrity of your Apache web server package installation. (However, remember to temper this advice with the reality that the package manifest could have been altered by an attacker.)"

      That last part may be what you're thinking of but it appears you are the n00b.

      BONUS: CAPTCHA="expert"

    3. Re:You are the noob by Americano · · Score: 1

      Half right. It doesn't say "the checksum doesn't change" - it points out that cPanel doesn't use a packaging system to install apache - and so rpm -V won't detect changes made to files that weren't installed by rpm in the first place.

      Tripwire (or other similar admin tools) can easily detect changes to the binary since a known-good baseline was taken, and report those out to you, as well.

    4. Re:You are the noob by idunham · · Score: 1

      I read and searched TFA (net-security.org and blog.sucuri.net), and the words "sum", "hash", and "checksum" do not occur on either page.

      The closest it comes is saying that the timestamp is the same as the original, and that rpm -V won't work IF you use cPanel--because that's outside the package management system.

      They suggest grepping for open_tty, though it would be possible to circumvent that with upx...
      in which case file would report a corrupted ELF file.

  20. Partial reading of Subject... by Bobfrankly1 · · Score: 1

    "Apache Backdoor in the Wild"

    Am I the only one who initially pictured a rear entrance to a teepee in the countryside?

    1. Re:Partial reading of Subject... by gbkersey · · Score: 0

      Nice... It's about as prevalent as your description :) Thanks!

    2. Re:Partial reading of Subject... by Anonymous Coward · · Score: 0

      "Apache Backdoor in the Wild"

      Am I the only one who initially pictured a rear entrance to a teepee in the countryside?

      Rear entrance, yes. In the countryside, yes. But not to a teepee, no.

  21. Re: Apache sucks by nedlohs · · Score: 1

    Which is irrelevant to the obvious point that this particular item says nothing about whether apache sucks or not.

    But sure, tit's not the most ignorant statement that's been posted on slashdot, it's at the top end of the list though.

  22. How does httpd get compromised in the first place? by Anonymous Coward · · Score: 1

    Maybe I missed it, but I don't see any details on how httpd gets compromised in the first place? Is there a zero-day vulnerability in apache that allows itself to be overwritten?

  23. Method of infection? by dgharmon · · Score: 3, Insightful

    "ESET researchers .. have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor .. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far"

    How does this advanced threat get onto the Apache webservers in the first place?

    --
    AccountKiller
  24. Re:http://www.linuxadvocates.com/p/support.html by Anonymous Coward · · Score: 0

    This whole story is inverse-spam, AKA Microsoft FUD.

    I hate this new corporate-friendly Slashdot - it's all just so banal.

  25. Anti-apache FUD, just like darknet by Anonymous Coward · · Score: 1

    What is with the hyper-sensationalized reports of "advanced and stealthy" Apache vulnerabilities lately? First darknet, now Cdorked? It is clearly FUD, as even the least competent systems administrator could confirm.... Neither of these security issues have anything at all to do with Apache except that they target the Apache binaries for modification.

    The only vulnerability here is that for some reason you allowed your server to get rooted. Neither of these attacks can be carried out without root access, and if your server is already rooted, a modified httpd binary could end up being the least of your worries. (I'd be willing to bet you got rooted for a really dumb reason like a bad password, and if so, you probably also have extremely stupid practices like keeping plaintext password lists or private keys on the server...in which case, you just gave your entire infrastructure to some script kiddie.)

  26. Open Source Issues? by kwbauer · · Score: 1

    Isn't Apache Open Source?

    Isn't Open Source the only way to prevent this stuff from getting into the wild?

    Are we totally screwed because our last best hope hopeless?

    1. Re:Open Source Issues? by ruir · · Score: 1

      As if proprietary software also hasn't bigger problemsopen source is supposed to mitigate this problems, and improve the quality of software.

    2. Re:Open Source Issues? by Anonymous Coward · · Score: 2, Insightful

      Well according to the above comments the vulnerability comes from CPanel, which isn't open source.

    3. Re:Open Source Issues? by John+Hasler · · Score: 1

      They are getting root so that they can install their hacked Apache binary by exploiting holes in Cpanel. Which is closed source.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  27. Re:http://www.linuxadvocates.com/p/support.html by Anonymous Coward · · Score: 0

    Moderators, PLEASE stop modding biters up. A visible biter highlights the invisible troll he's biting and the dumbass stupid enough to respond to a troll should be modded "troll" as well as the troll he's biting. I biter is as bad as a troll!

    I think I'll do a little metamoderating. I hope I run across the ignorant comment I'm responding to.

  28. Sneaky buggers! by Anonymous Coward · · Score: 0

    It is a high level hack........gov't/porn has great programmers

  29. Re:http://www.linuxadvocates.com/p/support.html by Anonymous Coward · · Score: 0

    maybe he's part of the wachootoo tribe... apparently they're biters