Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophisticated Apache Backdoor In the Wild

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."

8 of 108 comments (clear)

  1. doesn't look so scary by iggymanz · · Score: 5, Insightful

    Only cpanel apaches vulnerable and modified httpd easily found by grep'ing a string?

    *yawn*

    1. Re:doesn't look so scary by The+Mighty+Buzzard · · Score: 4, Insightful

      All everything is vulnerable if the binary is replaced. There's exactly jack and shit sophisticated about replacing binaries.

      --
      Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
    2. Re:doesn't look so scary by KiloByte · · Score: 4, Insightful

      It's a cpanel vulnerability, Apache is merely modified by the payload to help it spread. Seriously, giving a web server process root -- what the hell are those guys thinking?

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:doesn't look so scary by Lumpy · · Score: 3, Insightful

      Bingo.

      That is why this thing is overhyped. Yes it's a problem but only on grossly msiconfigured servers. They might as well left the Root password as "password"

      --
      Do not look at laser with remaining good eye.
  2. Wow by Dr.+Evil · · Score: 4, Insightful

    "other than a modified 'httpd' file,"

    It's completely invisible, as long as you're blind.

    1. Re:Wow by Synerg1y · · Score: 4, Insightful

      when was the last time you checked your httpd file?

    2. Re:Wow by h4rr4r · · Score: 5, Insightful

      The solution to this is be a big boy and don't use cPanel.

  3. Method of infection? by dgharmon · · Score: 3, Insightful

    "ESET researchers .. have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor .. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far"

    How does this advanced threat get onto the Apache webservers in the first place?

    --
    AccountKiller