Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophisticated Apache Backdoor In the Wild

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."

37 of 108 comments (clear)

  1. doesn't look so scary by iggymanz · · Score: 5, Insightful

    Only cpanel apaches vulnerable and modified httpd easily found by grep'ing a string?

    *yawn*

    1. Re:doesn't look so scary by Eunuchswear · · Score: 5, Funny

      Yeah, and I'm sure you could fix it with an apropriate hosts file.

      --
      Watch this Heartland Institute video
    2. Re:doesn't look so scary by Anonymous Coward · · Score: 3, Interesting

      No, all apaches are vulnerable - if the binary is replaced in this way. cPanel doesn't use packaged binaries for apache, and therefore you can't spot if you've been hacked *by simple use of the package manager*.

    3. Re:doesn't look so scary by The+Mighty+Buzzard · · Score: 4, Insightful

      All everything is vulnerable if the binary is replaced. There's exactly jack and shit sophisticated about replacing binaries.

      --
      Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
    4. Re:doesn't look so scary by KiloByte · · Score: 4, Insightful

      It's a cpanel vulnerability, Apache is merely modified by the payload to help it spread. Seriously, giving a web server process root -- what the hell are those guys thinking?

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    5. Re:doesn't look so scary by Lumpy · · Score: 3, Insightful

      Bingo.

      That is why this thing is overhyped. Yes it's a problem but only on grossly msiconfigured servers. They might as well left the Root password as "password"

      --
      Do not look at laser with remaining good eye.
    6. Re:doesn't look so scary by Anonymous Coward · · Score: 4, Funny

      They might as well left the Root password as "password"

      You can change it ???

    7. Re: doesn't look so scary by s.petry · · Score: 2

      According to the threads I read, all are vulnerable. Since the binary is not changed on disk, vidating checksums won't detect this. They really did not go into much detail in any of the reading I got following TFA three levels deep. No versions, no rigs, no mods, etc.. Did you read outside of TFA that it was CPA el only? Sittin in the dr office now, have to read more when back at the office.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    8. Re:doesn't look so scary by Anonymous Coward · · Score: 2, Funny

      incorrect is much better choice, that way the system reminds you if you forget it

    9. Re:doesn't look so scary by Anonymous Coward · · Score: 5, Funny

      They might as well left the Root password as "password"

      You can change it ???

      Don't worry, I already did it for you!

    10. Re:doesn't look so scary by IMightB · · Score: 2

      I worked at an ISP using cPanel for a couple hundred shared servers... Let me just say that cPanel is the biggest hunk of crap out there. It is poorly written with no attention paid to security. It is squarely aimed at end-users who have no clue about system administration and has a penchant for letting those same people shoot themselves in the foot as often as possible. cPanel, for instance, lets you format/partition hard drives via the gui without much in the way of instructions or warnings regarding the potential consequences of this action. We had many calls from people who claimed to have done nothing to their servers but turned out that they were trying to free up space and formatted /var or /. We often joked that we should cretaed a page in the GUI with a bug red button that says "Do NOT push" that would add an iptables rule to drop all connections from that IP and wait for the hilarity to commence.

    11. Re:doesn't look so scary by ebno-10db · · Score: 3, Funny

      They might as well left the Root password as "password"

      You can change it ???

      Yes, but it's a bad idea. Think of changed passwords as security through obscurity.

  2. Does it hurt? by geek · · Score: 5, Funny

    Getting Cdorked in the backdoor sounds painful.

    1. Re:Does it hurt? by PacketScan · · Score: 2

      It hurts less with this.. http://www.rfxn.com/projects/linux-socket-monitor/

  3. Another Link by Anonymous Coward · · Score: 4, Informative

    Here's another link about this issue.

    Seems systems with cPanel installed are getting hit with this. Better get a hash of your current apache executable so you can easily check it down the road.

  4. Wow by Dr.+Evil · · Score: 4, Insightful

    "other than a modified 'httpd' file,"

    It's completely invisible, as long as you're blind.

    1. Re:Wow by Synerg1y · · Score: 4, Insightful

      when was the last time you checked your httpd file?

    2. Re:Wow by Poeli · · Score: 4, Informative

      rpm -V httpd ?

      Not that difficult to put in a cron job.

    3. Re:Wow by ArchieBunker · · Score: 3, Interesting

      Who even does that in the first place? OpenBSD gives you a daily email containing all changes to config files that have occurred.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    4. Re:Wow by lky · · Score: 5, Informative

      when was the last time you checked your httpd file?

      If you're using tripwire or another similar tool and its properly configured, then you should be notified of file changes.

      As long as you're paying attention, this doesn't seem like much of an issue.

    5. Re:Wow by Qzukk · · Score: 2

      And I liked how they left out whatever it inserts (or deletes from) the httpd.conf file

      On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one.

      So tell us what exactly it inserts (or deletes from) the httpd.conf file without modifying the Apache configuration?

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    6. Re:Wow by larry+bagina · · Score: 5, Informative

      httpd isn't a config file; it's the apache executable. Tripwire or other such utilities would catch it.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    7. Re:Wow by Americano · · Score: 2

      rpm -V also checks the MD5 sum of the file - if it's been modified, it should flag a difference in checksums, even if every other bit of metadata is the same.

      That said, it's quite easy to believe that lots of people aren't running "rpm -V httpd" regularly on their Linux servers, so all the people responding "DUH, NOOBZ" just sound like dicks. Next time, they should probably try showing off their deep knowledge of rpm by helpfully suggesting "rpm -V will find this, and you should be running this on all your systems regularly," rather than shitting up the comment thread with "I'm not vulnerable, anybody who is must be a fucking idiot."

    8. Re:Wow by ShaunC · · Score: 5, Informative

      rpm -V httpd ?

      That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    9. Re:Wow by h4rr4r · · Score: 5, Insightful

      The solution to this is be a big boy and don't use cPanel.

    10. Re:Wow by El_Muerte_TDS · · Score: 2

      when was the last time you checked your httpd file?

      This morning, debsum and rkhunter didn't report anything that requires attention.

    11. Re:Wow by c0lo · · Score: 3, Informative

      rpm -V httpd ?

      Not that difficult to put in a cron job.

      Cited FA:

      In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.

      Yeah, you'd be vulnerable if your apache installation is done using cpanel (as many hosting providers are).

      --
      Questions raise, answers kill. Raise questions to stay alive.
  5. It's bad, but is this really a back-door? by dmomo · · Score: 4, Interesting

    This looks like a module for apache that, while sinister and clever, must be installed like any other module. Presumable, unless I'm missing something, this requires root access. If this so called "back door" (debatable) is on a system where it shouldn't be there is a bigger question on how was access to install it obtained it the first place.

    1. Re:It's bad, but is this really a back-door? by Nyder · · Score: 2

      This looks like a module for apache that, while sinister and clever, must be installed like any other module. Presumable, unless I'm missing something, this requires root access. If this so called "back door" (debatable) is on a system where it shouldn't be there is a bigger question on how was access to install it obtained it the first place.

      Yes, sort of confusing. What I gained from the various articles is that by visiting a malicious webpage on a compromised server, it will try to install the backdoor thru whatever methods it has. What they aren't that specific on is how they manage to replace the apache executable. But since it seems there isn't a standard way to tell if apache is infected, that is sort of stupid.

      But other then that, it sounds a bit clever.

      --
      Be seeing you...
    2. Re:It's bad, but is this really a back-door? by dmomo · · Score: 2

      I did. I probably over-read because I got caught up in 3 other articles about the subject. I'm sorry about the confusion. My main point stands. The real issue is that this requires an insecure system in the first place.

  6. Does not leave traces on the hard-disk... by Anonymous Coward · · Score: 2, Insightful

    other than a modified 'httpd' file.

    That seems like a pretty significant trace. Check the MD5 yourself. You can check it with 'debsums', you don't even have to set it up unlike tripwire.

  7. Detection by Bert64 · · Score: 2

    Surely detection is pretty easy if the httpd binary has been modified, most distributions already have features to check the binaries on a system against known checksum lists from the packages they were installed from, so a modified httpd would stick out like a sore thumb.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  8. Just of the top of my head... by DrYak · · Score: 3, Informative

    rkhunter and chkrootkit as a quick example.
    two tools which are more or less set and forget, and which also target workstation users.
    (Done in background periodically, no interaction required, except running a small command after an update to avoid triggering false positive in one case)

    Probably hundreds of sysadmin-oriented tools can do it too.

    (checking files for modification is a very sane step to protect against corruption and possible compromise)

    having the /usr mount read-only and only /var, /tmp & co read-write is a rather sane measure which is also wide spread (not only on big server farms, on the technical grounds that the /usr might be served over the network. but even some smart-phone do it, webOS for example)

    On the other hand, a trojan targeting Linux is a proof that Linux server *are* a very valuable infection target, and lower markter share at the desktop isn't the only valid argument explaining the scarcity of Linux viruses.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  9. Re:http://www.linuxadvocates.com/p/support.html by RabidReindeer · · Score: 2

    I rather preferred the APK spam.

    At least this is shorted and less offensive to the eye.

    Spam is spam, though.

  10. Method of infection? by dgharmon · · Score: 3, Insightful

    "ESET researchers .. have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor .. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far"

    How does this advanced threat get onto the Apache webservers in the first place?

    --
    AccountKiller
  11. Re:Open Source Issues? by Anonymous Coward · · Score: 2, Insightful

    Well according to the above comments the vulnerability comes from CPanel, which isn't open source.

  12. Re:Bad sysadmins by Bert64 · · Score: 2

    Because they are distribution specific...

    rpm -v
    debsums
    equery check

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!