Sophisticated Apache Backdoor In the Wild 108
An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."
Another Link (Score:4, Informative)
Here's another link [welivesecurity.com] about this issue.
Seems systems with cPanel installed are getting hit with this. Better get a hash of your current apache executable so you can easily check it down the road.
Re:Wow (Score:4, Informative)
rpm -V httpd ?
Not that difficult to put in a cron job.
Re:Wow (Score:5, Informative)
when was the last time you checked your httpd file?
If you're using tripwire or another similar tool and its properly configured, then you should be notified of file changes.
As long as you're paying attention, this doesn't seem like much of an issue.
Re:Wow (Score:5, Informative)
Just of the top of my head... (Score:4, Informative)
rkhunter and chkrootkit as a quick example.
two tools which are more or less set and forget, and which also target workstation users.
(Done in background periodically, no interaction required, except running a small command after an update to avoid triggering false positive in one case)
Probably hundreds of sysadmin-oriented tools can do it too.
(checking files for modification is a very sane step to protect against corruption and possible compromise)
having the /usr mount read-only and only /var, /tmp & co read-write is a rather sane measure which is also wide spread (not only on big server farms, on the technical grounds that the /usr might be served over the network. but even some smart-phone do it, webOS for example)
On the other hand, a trojan targeting Linux is a proof that Linux server *are* a very valuable infection target, and lower markter share at the desktop isn't the only valid argument explaining the scarcity of Linux viruses.
Re:Wow (Score:5, Informative)
rpm -V httpd ?
That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.
Re:Wow (Score:4, Informative)
rpm -V httpd ?
Not that difficult to put in a cron job.
Cited FA [sucuri.net]:
In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.
Yeah, you'd be vulnerable if your apache installation is done using cpanel (as many hosting providers are).