Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophisticated Apache Backdoor In the Wild

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."

10 of 108 comments (clear)

  1. doesn't look so scary by iggymanz · · Score: 5, Insightful

    Only cpanel apaches vulnerable and modified httpd easily found by grep'ing a string?

    *yawn*

    1. Re:doesn't look so scary by The+Mighty+Buzzard · · Score: 4, Insightful

      All everything is vulnerable if the binary is replaced. There's exactly jack and shit sophisticated about replacing binaries.

      --
      Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
    2. Re:doesn't look so scary by KiloByte · · Score: 4, Insightful

      It's a cpanel vulnerability, Apache is merely modified by the payload to help it spread. Seriously, giving a web server process root -- what the hell are those guys thinking?

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:doesn't look so scary by Lumpy · · Score: 3, Insightful

      Bingo.

      That is why this thing is overhyped. Yes it's a problem but only on grossly msiconfigured servers. They might as well left the Root password as "password"

      --
      Do not look at laser with remaining good eye.
  2. Wow by Dr.+Evil · · Score: 4, Insightful

    "other than a modified 'httpd' file,"

    It's completely invisible, as long as you're blind.

    1. Re:Wow by Synerg1y · · Score: 4, Insightful

      when was the last time you checked your httpd file?

    2. Re:Wow by h4rr4r · · Score: 5, Insightful

      The solution to this is be a big boy and don't use cPanel.

  3. Does not leave traces on the hard-disk... by Anonymous Coward · · Score: 2, Insightful

    other than a modified 'httpd' file.

    That seems like a pretty significant trace. Check the MD5 yourself. You can check it with 'debsums', you don't even have to set it up unlike tripwire.

  4. Method of infection? by dgharmon · · Score: 3, Insightful

    "ESET researchers .. have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor .. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far"

    How does this advanced threat get onto the Apache webservers in the first place?

    --
    AccountKiller
  5. Re:Open Source Issues? by Anonymous Coward · · Score: 2, Insightful

    Well according to the above comments the vulnerability comes from CPanel, which isn't open source.