Backdoor Targeting Apache Servers Spreads To Nginx, Lighttpd

An anonymous reader writes "Last week's revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning — ESET's continuing investigation has now revealed that the backdoor also infects sites running the nginx and Lighttpd webservers. Researchers have, so far, detected more than 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites." Here's the researchers' original report.

Re:And they still don't know the initial vector

[lgftsa]

Worried about exposed sshd? Install pam-abl and watch the brute force attackers waste their time. With my config, three failures from any IP address in an hour (or 6 per day) and that IP is locked out for a week through PAM. They can still try, of course, but even if they somehow guess the correct password, it must be in their first three guesses each week.

There's no indication to the attacker that pam-abl is there, and there's very little chance of a DOS attack against legitimate logins.

Oh, and you've denied root logins from the internet, haven't you?

Warning: Source tarball, but if I debian-ized it, then anyone can.