Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophisticated Apache Backdoor In the Wild

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."

16 of 108 comments (clear)

  1. doesn't look so scary by iggymanz · · Score: 5, Insightful

    Only cpanel apaches vulnerable and modified httpd easily found by grep'ing a string?

    *yawn*

    1. Re:doesn't look so scary by Eunuchswear · · Score: 5, Funny

      Yeah, and I'm sure you could fix it with an apropriate hosts file.

      --
      Watch this Heartland Institute video
    2. Re:doesn't look so scary by The+Mighty+Buzzard · · Score: 4, Insightful

      All everything is vulnerable if the binary is replaced. There's exactly jack and shit sophisticated about replacing binaries.

      --
      Violence is like duct tape. If it doesn't solve the problem, you didn't use enough.
    3. Re:doesn't look so scary by KiloByte · · Score: 4, Insightful

      It's a cpanel vulnerability, Apache is merely modified by the payload to help it spread. Seriously, giving a web server process root -- what the hell are those guys thinking?

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    4. Re:doesn't look so scary by Anonymous Coward · · Score: 4, Funny

      They might as well left the Root password as "password"

      You can change it ???

    5. Re:doesn't look so scary by Anonymous Coward · · Score: 5, Funny

      They might as well left the Root password as "password"

      You can change it ???

      Don't worry, I already did it for you!

  2. Does it hurt? by geek · · Score: 5, Funny

    Getting Cdorked in the backdoor sounds painful.

  3. Another Link by Anonymous Coward · · Score: 4, Informative

    Here's another link about this issue.

    Seems systems with cPanel installed are getting hit with this. Better get a hash of your current apache executable so you can easily check it down the road.

  4. Wow by Dr.+Evil · · Score: 4, Insightful

    "other than a modified 'httpd' file,"

    It's completely invisible, as long as you're blind.

    1. Re:Wow by Synerg1y · · Score: 4, Insightful

      when was the last time you checked your httpd file?

    2. Re:Wow by Poeli · · Score: 4, Informative

      rpm -V httpd ?

      Not that difficult to put in a cron job.

    3. Re:Wow by lky · · Score: 5, Informative

      when was the last time you checked your httpd file?

      If you're using tripwire or another similar tool and its properly configured, then you should be notified of file changes.

      As long as you're paying attention, this doesn't seem like much of an issue.

    4. Re:Wow by larry+bagina · · Score: 5, Informative

      httpd isn't a config file; it's the apache executable. Tripwire or other such utilities would catch it.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    5. Re:Wow by ShaunC · · Score: 5, Informative

      rpm -V httpd ?

      That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    6. Re:Wow by h4rr4r · · Score: 5, Insightful

      The solution to this is be a big boy and don't use cPanel.

  5. It's bad, but is this really a back-door? by dmomo · · Score: 4, Interesting

    This looks like a module for apache that, while sinister and clever, must be installed like any other module. Presumable, unless I'm missing something, this requires root access. If this so called "back door" (debatable) is on a system where it shouldn't be there is a bigger question on how was access to install it obtained it the first place.