Forgot your password?
typodupeerror
Security Apache

Sophisticated Apache Backdoor In the Wild 108

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."
This discussion has been archived. No new comments can be posted.

Sophisticated Apache Backdoor In the Wild

Comments Filter:
  • by iggymanz (596061) on Monday April 29, 2013 @12:11PM (#43581525)

    Only cpanel apaches vulnerable and modified httpd easily found by grep'ing a string?

    *yawn*

  • by geek (5680) on Monday April 29, 2013 @12:12PM (#43581531) Homepage

    Getting Cdorked in the backdoor sounds painful.

  • Another Link (Score:4, Informative)

    by Anonymous Coward on Monday April 29, 2013 @12:13PM (#43581539)

    Here's another link [welivesecurity.com] about this issue.

    Seems systems with cPanel installed are getting hit with this. Better get a hash of your current apache executable so you can easily check it down the road.

  • Wow (Score:5, Insightful)

    by Dr. Evil (3501) on Monday April 29, 2013 @12:14PM (#43581543)

    "other than a modified 'httpd' file,"

    It's completely invisible, as long as you're blind.

    • Re:Wow (Score:5, Insightful)

      by Synerg1y (2169962) on Monday April 29, 2013 @12:17PM (#43581573)

      when was the last time you checked your httpd file?

      • Re:Wow (Score:4, Informative)

        by Poeli (573204) on Monday April 29, 2013 @12:22PM (#43581607)

        rpm -V httpd ?

        Not that difficult to put in a cron job.

      • Re:Wow (Score:5, Informative)

        by lky (246353) on Monday April 29, 2013 @12:28PM (#43581685)

        when was the last time you checked your httpd file?

        If you're using tripwire or another similar tool and its properly configured, then you should be notified of file changes.

        As long as you're paying attention, this doesn't seem like much of an issue.

      • by DrYak (748999) on Monday April 29, 2013 @12:49PM (#43581881) Homepage

        rkhunter and chkrootkit as a quick example.
        two tools which are more or less set and forget, and which also target workstation users.
        (Done in background periodically, no interaction required, except running a small command after an update to avoid triggering false positive in one case)

        Probably hundreds of sysadmin-oriented tools can do it too.

        (checking files for modification is a very sane step to protect against corruption and possible compromise)

        having the /usr mount read-only and only /var, /tmp & co read-write is a rather sane measure which is also wide spread (not only on big server farms, on the technical grounds that the /usr might be served over the network. but even some smart-phone do it, webOS for example)

        On the other hand, a trojan targeting Linux is a proof that Linux server *are* a very valuable infection target, and lower markter share at the desktop isn't the only valid argument explaining the scarcity of Linux viruses.

      • when was the last time you checked your httpd file?

        This morning, debsum and rkhunter didn't report anything that requires attention.

      • by jrumney (197329)

        Mine is checked daily by debsums, along with all other binaries.

    • chattr +i anyone?

      just unchattr when you need to update httpd/apache

      more interesting is where the hole/holes are in cpanel

      • by Anonymous Coward

        Interestingly enough the modified httpd is apparently write protected the same way. At least according to a google translation of a new article referenced from the wikipedia article on cPanel. http://en.wikipedia.org/wiki/CPanel#cite_note-11

      • by MoFoQ (584566)

        interesting, the backdoor uses chattr

        • by anyanka (1953414)

          Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.

          • by xenobyte (446878)

            Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.

            Exactly. Almost all rooted servers I've seen have the modified binaries (that hide things) made immutable. Insanely stupid. I don't know anyone that uses immutability for anything under normal circumstances so immutable files will stand out.

            A daily scan like this:

            find / -type f -exec lsattr -a {} \; | grep -- '----i'

            will find all immutable files on your system.

            Run it from a crontab and you'll get notified by mail. It produces no output when it doesn't find anything so you'll only get a mail when something i

  • by Anonymous Coward

    How are they gaining access to the server to install their malicious software?

  • by dmomo (256005) on Monday April 29, 2013 @12:20PM (#43581599) Homepage

    This looks like a module for apache that, while sinister and clever, must be installed like any other module. Presumable, unless I'm missing something, this requires root access. If this so called "back door" (debatable) is on a system where it shouldn't be there is a bigger question on how was access to install it obtained it the first place.

    • by bvanheu (1028050)
      Did you RTFA? This is not an apache module.
      • by dmomo (256005)

        I did. I probably over-read because I got caught up in 3 other articles about the subject. I'm sorry about the confusion. My main point stands. The real issue is that this requires an insecure system in the first place.

    • by Nyder (754090)

      This looks like a module for apache that, while sinister and clever, must be installed like any other module. Presumable, unless I'm missing something, this requires root access. If this so called "back door" (debatable) is on a system where it shouldn't be there is a bigger question on how was access to install it obtained it the first place.

      Yes, sort of confusing. What I gained from the various articles is that by visiting a malicious webpage on a compromised server, it will try to install the backdoor thru whatever methods it has. What they aren't that specific on is how they manage to replace the apache executable. But since it seems there isn't a standard way to tell if apache is infected, that is sort of stupid.

      But other then that, it sounds a bit clever.

      • by Anonymous Coward

        We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.

        They didn't really find a backdoor in Apache, rather they found a modified httpd with some interesting new features installed on otherwise compromised servers. It's not an Apache problem. If you keep your servers secure in first place, you won't have this problem.

  • by Anonymous Coward

    other than a modified 'httpd' file.

    That seems like a pretty significant trace. Check the MD5 yourself. You can check it with 'debsums', you don't even have to set it up unlike tripwire [sourceforge.net].

  • Back in the day, people broke into servers for fun.

    Now, people break into servers to serve advertising.

    Soon, people will break into servers to drop bitcoin miners on them.

    I guess now we know where the real money is: ad impressions. What Ad networks serve ads to the cracker community?

  • by Bert64 (520050) <bert@sl[ ]dot.fi ... m ['ash' in gap]> on Monday April 29, 2013 @12:32PM (#43581721) Homepage

    Surely detection is pretty easy if the httpd binary has been modified, most distributions already have features to check the binaries on a system against known checksum lists from the packages they were installed from, so a modified httpd would stick out like a sore thumb.

    • by Anonymous Coward

      Given that you didn't mention what tools you could use to compare the checksums to the package tells me that you, and most others aren't checking packages on a regular basis.

  • "Apache Backdoor in the Wild"

    Am I the only one who initially pictured a rear entrance to a teepee in the countryside?

  • Maybe I missed it, but I don't see any details on how httpd gets compromised in the first place? Is there a zero-day vulnerability in apache that allows itself to be overwritten?

  • by dgharmon (2564621) on Monday April 29, 2013 @05:45PM (#43585227) Homepage
    "ESET researchers .. have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor .. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far"

    How does this advanced threat get onto the Apache webservers in the first place?
  • by Anonymous Coward

    What is with the hyper-sensationalized reports of "advanced and stealthy" Apache vulnerabilities lately? First darknet, now Cdorked? It is clearly FUD, as even the least competent systems administrator could confirm.... Neither of these security issues have anything at all to do with Apache except that they target the Apache binaries for modification.

    The only vulnerability here is that for some reason you allowed your server to get rooted. Neither of these attacks can be carried out without root access,

  • Isn't Apache Open Source?

    Isn't Open Source the only way to prevent this stuff from getting into the wild?

    Are we totally screwed because our last best hope hopeless?

    • by ruir (2709173)
      As if proprietary software also hasn't bigger problemsopen source is supposed to mitigate this problems, and improve the quality of software.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Well according to the above comments the vulnerability comes from CPanel, which isn't open source.

    • They are getting root so that they can install their hacked Apache binary by exploiting holes in Cpanel. Which is closed source.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...