Sophisticated Apache Backdoor In the Wild 108
An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."
doesn't look so scary (Score:5, Insightful)
Only cpanel apaches vulnerable and modified httpd easily found by grep'ing a string?
*yawn*
Wow (Score:5, Insightful)
"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
Re:Wow (Score:5, Insightful)
when was the last time you checked your httpd file?
Does not leave traces on the hard-disk... (Score:2, Insightful)
other than a modified 'httpd' file.
That seems like a pretty significant trace. Check the MD5 yourself. You can check it with 'debsums', you don't even have to set it up unlike tripwire [sourceforge.net].
Re:doesn't look so scary (Score:5, Insightful)
Re:doesn't look so scary (Score:5, Insightful)
It's a cpanel vulnerability, Apache is merely modified by the payload to help it spread. Seriously, giving a web server process root -- what the hell are those guys thinking?
Re:doesn't look so scary (Score:4, Insightful)
Bingo.
That is why this thing is overhyped. Yes it's a problem but only on grossly msiconfigured servers. They might as well left the Root password as "password"
Re:Wow (Score:5, Insightful)
The solution to this is be a big boy and don't use cPanel.
Method of infection? (Score:4, Insightful)
How does this advanced threat get onto the Apache webservers in the first place?
Re:Open Source Issues? (Score:2, Insightful)
Well according to the above comments the vulnerability comes from CPanel, which isn't open source.