Forgot your password?
typodupeerror
Security Apache

Backdoor Targeting Apache Servers Spreads To Nginx, Lighttpd 136

Posted by timothy
from the learning-to-attack-the-unpronounceable dept.
An anonymous reader writes "Last week's revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning — ESET's continuing investigation has now revealed that the backdoor also infects sites running the nginx and Lighttpd webservers. Researchers have, so far, detected more than 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites." Here's the researchers' original report.
This discussion has been archived. No new comments can be posted.

Backdoor Targeting Apache Servers Spreads To Nginx, Lighttpd

Comments Filter:
  • Name the 50 sites (Score:5, Insightful)

    by PNutts (199112) on Wednesday May 08, 2013 @10:28PM (#43671529)

    The actual quote is, "50 are ranked in Alexa’s top 100,000 most popular websites." Quite different than the summary but would still be interesting to know.

  • Re:Why? (Score:5, Insightful)

    by Guinness Beaumont (2901413) on Wednesday May 08, 2013 @10:48PM (#43671625)
    Yes. My entire family will be calling for free tech support as their machines eat crap. This affects me directly and greatly, as I'm sure it similarly affects many other frequent posters here. Also personally, yes, no browser is invincible and I'd like to avoid infection as well.
  • by Skapare (16644) on Wednesday May 08, 2013 @10:49PM (#43671629) Homepage

    We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.

    So does this mean I need to remove sshd? Doubtful. More likely the initial vector is social engineering or weak passwords (social stupidity). That makes this whole infection uninteresting ... it's just an app from the web server perspective. OK, so it can break into your browser with a zero-day. Fix the browser.

  • by DarkTempes (822722) on Thursday May 09, 2013 @12:12AM (#43671991)
    I run lynx/links/etc in a chroot jail, you insensitive clod!

    In my experience most of the major browser exploits attack vulnerable plugins (flash, java, acrobat/pdf viewer, etc) or abuse scripting.
    If you restrict or disable said plugins and javascript then I'd say you're pretty darn safe.
    Granted, most "web 2.0" websites work like shit without javascript enabled but some stuff still works. For the more sane of us there are things like NoScript.

    It's kind of hard for plain text and images to do bad things though I suppose it's been done before.
  • by Zero__Kelvin (151819) on Thursday May 09, 2013 @08:41AM (#43673743) Homepage
    CPanel is often used to allow Web Hosting customers to have control over their pay per month websites / accounts. If a company allows their customers to create email accounts, enable ssh, etc. on a shared host this is how it is typically done to reduce the huge overhead of fielding requests for such tasks from every Tom, Dick, and Harry, since you clearly cannot give them root access.

    Implemented an idea poorly does not make it a bad idea.

An optimist believes we live in the best world possible; a pessimist fears this is true.

Working...