Sophisticated Apache Backdoor In the Wild

An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."

doesn't look so scary

[iggymanz]

Only cpanel apaches vulnerable and modified httpd easily found by grep'ing a string?

*yawn*

Re:doesn't look so scary

[Eunuchswear]

Yeah, and I'm sure you could fix it with an apropriate hosts file.

Re:doesn't look so scary

They might as well left the Root password as "password"

You can change it ???

Don't worry, I already did it for you!

Does it hurt?

[geek]

Getting Cdorked in the backdoor sounds painful.

Re:Wow

[lky]

when was the last time you checked your httpd file?

If you're using tripwire or another similar tool and its properly configured, then you should be notified of file changes.

As long as you're paying attention, this doesn't seem like much of an issue.

Re:Wow

[larry+bagina]

httpd isn't a config file; it's the apache executable. Tripwire or other such utilities would catch it.

Re:Wow

[ShaunC]

rpm -V httpd ?

That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.

Re:Wow

[h4rr4r]

The solution to this is be a big boy and don't use cPanel.