Slashdot Mirror
Backdoor Targeting Apache Servers Spreads To Nginx, Lighttpd
An anonymous reader writes "Last week's revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning — ESET's continuing investigation has now revealed that the backdoor also infects sites running the nginx and Lighttpd webservers. Researchers have, so far, detected more than 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites." Here's the researchers' original report.
Are you refering to the http headers that identify the server version? If so then yes, it is a stupid question since, every webserver which I have ever configured has had an option to turn that off. Not that I ever bothered, if it was so useful, it would be turned off by default.
Fingerprinting doesn't take that long, especially for well known services. Might be of some use if you really to run something obscure. In any case, even if they don't know if you are vulnerable, how long does it take to find out? Little use there.
"I opened my eyes, and everything went dark again"
Why isn't there a list of infected sites? Avoiding them would seem to be a priority.
Only on
The actual quote is, "50 are ranked in Alexa’s top 100,000 most popular websites." Quite different than the summary but would still be interesting to know.
You can download a fix here.
Worried about exposed sshd? Install pam-abl and watch the brute force attackers waste their time. With my config, three failures from any IP address in an hour (or 6 per day) and that IP is locked out for a week through PAM. They can still try, of course, but even if they somehow guess the correct password, it must be in their first three guesses each week.
There's no indication to the attacker that pam-abl is there, and there's very little chance of a DOS attack against legitimate logins.
Oh, and you've denied root logins from the internet, haven't you?
Warning: Source tarball, but if I debian-ized it, then anyone can.
I knew this was a mistake. Secure my ass. I'm going back to Windows.
I'm a satanic clam.
FreeBSD runs the same software stack, so it would make little difference.
That's why our organization uses a custom server software written in 68K assembly running on MacOS 7.6.1 on a cluster of Quadra 610s.
From Debian 7 release notes:
"Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in Wheezy, but not covered by security support. These browsers should not be used against untrusted websites. For general web browser use we recommend browsers building on the Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium."
-- http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security
What kind of developer thinks that a web server needs a GUI?
Where else are they going to put the ON and OFF buttons?
Il n'y a pas de Planet B.
CPanel is often used to allow Web Hosting customers to have control over their pay per month websites / accounts. If a company allows their customers to create email accounts, enable ssh, etc. on a shared host this is how it is typically done to reduce the huge overhead of fielding requests for such tasks from every Tom, Dick, and Harry, since you clearly cannot give them root access.
Implemented an idea poorly does not make it a bad idea.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun