Forgot your password?
typodupeerror
Security Apache

Backdoor Targeting Apache Servers Spreads To Nginx, Lighttpd 136

Posted by timothy
from the learning-to-attack-the-unpronounceable dept.
An anonymous reader writes "Last week's revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning — ESET's continuing investigation has now revealed that the backdoor also infects sites running the nginx and Lighttpd webservers. Researchers have, so far, detected more than 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites." Here's the researchers' original report.
This discussion has been archived. No new comments can be posted.

Backdoor Targeting Apache Servers Spreads To Nginx, Lighttpd

Comments Filter:
  • by Anonymous Coward

    Why do the developers force us to tell the world what engine we use?

    • by TheCarp (96830) <sjc@nospAm.carpanet.net> on Wednesday May 08, 2013 @09:24PM (#43671507) Homepage

      Are you refering to the http headers that identify the server version? If so then yes, it is a stupid question since, every webserver which I have ever configured has had an option to turn that off. Not that I ever bothered, if it was so useful, it would be turned off by default.

      Fingerprinting doesn't take that long, especially for well known services. Might be of some use if you really to run something obscure. In any case, even if they don't know if you are vulnerable, how long does it take to find out? Little use there.

      • It's going to be useful if someone is trying a targeted attack directly on your server. That way they know what version you are running, and can go to the correct source code trying to find a vulnerability, and not waste time on newer versions, or older versions, or patched versions, or whatever.
        • I have some site running lighttpd, others I run G-Wan

          Is G-Wan affected ?

          Thanks in advance for any tips that you can share with us.

          Thanks again !!

          • Looks like it could be affected because the exploit wasn't in the web-server; their machines got hacked through other means and then used that access to modify the webserver. So make sure you have a good ssh password and your box is updated at a minimum.
          • by Anonymous Coward

            Not delivering traffic is standard behaviour for G-Wan; it doesn't need a backdoor or virus for that.

        • by gmack (197796) <gmackNO@SPAMinnerfire.net> on Thursday May 09, 2013 @01:36AM (#43672563) Homepage Journal

          Quite frankly, I don't think the webserver was the entry point for Cdorkd.A since as far as I read it was mainly machines with cpanel that were infected. Even if the problem wasn't cpanel Apache doesn't run with the right permissions to change it's own binary. If the entry point is elsewhere, once they are in the machine with root access discovering what web server software being used is trivial.

          Rather than worrying about something as trivial as the web server software, I would be much more concerned about why none of the control panels I've come across seem to have any sort of secure design. They run as root without any sort of privilege separation and edit the config files even when daemons are available that have a database back end.

          • What kind of developer thinks that a web server needs a GUI? That, in my opinion explains everything about why the control panels lack secure design.
            • What kind of developer thinks that a web server needs a GUI?

              Where else are they going to put the ON and OFF buttons?

            • by Zero__Kelvin (151819) on Thursday May 09, 2013 @07:41AM (#43673743) Homepage
              CPanel is often used to allow Web Hosting customers to have control over their pay per month websites / accounts. If a company allows their customers to create email accounts, enable ssh, etc. on a shared host this is how it is typically done to reduce the huge overhead of fielding requests for such tasks from every Tom, Dick, and Harry, since you clearly cannot give them root access.

              Implemented an idea poorly does not make it a bad idea.
              • by Yebyen (59663) on Thursday May 09, 2013 @08:11AM (#43673955) Homepage

                > since you clearly cannot give them root access.

                and yet that's what it seems to be doing here. I heard a lot of folks say that LXC was DOA, because it didn't offer any protection against the classic "escalate chrooted root user to full system access," and I am not an expert but I'd say that has changed, you _can_ give your customers root without giving them root on the host system. Check out http://docker.io/ [docker.io] </shameless>

                (I heard there were alternatives to docker too, but I haven't found any other than RTFM and Edit The Damn Configs And Cross Your Fingers. Docker has just entered version 0.3 release and development is moving quickly.)

                • You aren't quite getting it. The tool is designed to only allow people who have logged in (auth'd) to perform tasks that require root access, limiting said access to only certain configuration files that they should be able to change, and to make only certain kinds of changes. It has a security flaw which can be exploited. It is no different than any other software that requires root access and has a security flaw that can be exploited from a non-privileged environment. It is akin to a GUI based sudo wi
                  • by Yebyen (59663)

                    No, I got it, I was just chiming in chorus with the other folks that were saying, "this tool does not need to be run as root. why does it have such a large attack surface? it's very expensive and widely deployed so why is it that it's always been such crap"

                    I don't run cpanel myself (I understand it's quite expensive to license) but I have been a customer of cpanel hosts before, I totally get it, it's meant to limit your access while providing you with administrative capabilities that are above the bare mi

          • by TheCarp (96830)

            > Apache doesn't run with the right permissions to change it's own binary

            However it runs with enough permission to execute an exploit that would elevate access. The further you get into the system, the more holes can be exploited. The article did mention that they seem to be using a sophisticated root kit, after initial entry.

            > as I read it was mainly machines with cpanel that were infected.

            However many infected had neither cpanel or the other common app. Likely, there are multiple vectors. This seems

        • And this is why I usually announce a version with a well known exploit and keep the firewall trained to alert me of exploits targeting that version.

          No better way to tip you off to a targeted attack.

        • by mvdwege (243851)

          Keyword here is 'if'.

          Most attackers will just run every exploit against a service in the hope that one will stick.

        • by jafiwam (310805)

          It's going to be useful if someone is trying a targeted attack directly on your server. That way they know what version you are running, and can go to the correct source code trying to find a vulnerability, and not waste time on newer versions, or older versions, or patched versions, or whatever.

          Not really. Even targeted attacks are begun by an automated probe that just tries everything and sees what sticks.

          It's a foolish thing to care about. The headers shouldn't be there, and if they are, it shouldn't matter. It takes literally seconds or minutes to ferret out what the tool is, and often the site says so right in a page somewhere.

          Caring about it is for fools or people who want to lead those fools away from their money.

    • It's all about advertising, to show just how many people use their webserver.

  • Why? (Score:5, Interesting)

    by Guinness Beaumont (2901413) on Wednesday May 08, 2013 @09:25PM (#43671515)
    Why isn't there a list of infected sites? Avoiding them would seem to be a priority.
    • Re:Why? (Score:4, Funny)

      by Skapare (16644) on Wednesday May 08, 2013 @09:41PM (#43671589) Homepage

      Are you afraid of little infected web site? Something wrong with your browser?

      • Re:Why? (Score:5, Insightful)

        by Guinness Beaumont (2901413) on Wednesday May 08, 2013 @09:48PM (#43671625)
        Yes. My entire family will be calling for free tech support as their machines eat crap. This affects me directly and greatly, as I'm sure it similarly affects many other frequent posters here. Also personally, yes, no browser is invincible and I'd like to avoid infection as well.
      • There are numerous security flaws in all the major browsers. Vulnerabilities are getting fixed all the time; just look at the change log of Firefox or Chrome over the last few releases, for example. If you think you're magically virus-proof because you're running your pet OSS software, you might consider the list of popular OSS web servers in the title of this discussion.

        • by DarkTempes (822722) on Wednesday May 08, 2013 @11:12PM (#43671991)
          I run lynx/links/etc in a chroot jail, you insensitive clod!

          In my experience most of the major browser exploits attack vulnerable plugins (flash, java, acrobat/pdf viewer, etc) or abuse scripting.
          If you restrict or disable said plugins and javascript then I'd say you're pretty darn safe.
          Granted, most "web 2.0" websites work like shit without javascript enabled but some stuff still works. For the more sane of us there are things like NoScript.

          It's kind of hard for plain text and images to do bad things though I suppose it's been done before.
        • by jedidiah (1196)

          There's a small number of infected sites. That clearly indicates that this is likely a case of digital burglary rather than the much lower bar of something like a viral infection. Otherwise we would be talking about thousands of sites or half the Internet.

          Your screed would be more relevant if not for the fact that there are various fairly common workarounds employed on the various browsers to mitigate just this kind of nonsense.

          A little paranoia goes a long way. That's far more useful than the sort of bliss

      • Re:Why? (Score:4, Interesting)

        by mwvdlee (775178) on Thursday May 09, 2013 @02:08AM (#43672641) Homepage

        How exactly does your browser recognize the difference between a normal page and the exact same page delivered from the exact same server at perhaps a microsecond delay?

        This backdoor may simply be passing on POSTs with passwords (a webserver receives these unencrypted, you know) to another server without altering anything on the page. The only one who'd notice would be a webserver admin that happens to monitor outgoing traffic.

    • It could lure you into a sense of false security, letting you think you are safe by avoiding them, when really you don't know that. Other sites are probably infected too.

      Also, the sites they've found are probably not infected anymore, since presumably they've been notified and resolved the problem.
      • by znrt (2424692)

        It could lure you into a sense of false security, letting you think you are safe by avoiding them, when really you don't know that. Other sites are probably infected too.

        methinks the whole interntets build upon a false sense of false security. the OP is right, there is no reason not to disclose the list.

        Also, the sites they've found are probably not infected anymore, since presumably they've been notified and resolved the problem.

        this is a bold assumption, and a clear indication of a false sense of security :-)
        (besides in contradiction with your previous statement)

        • How is it a contradiction?
          • by znrt (2424692)

            sorry. there's no contradiction, really, i meant that warning against trusting *any* site (an advice i endorse) would be incompatible with advocating for trusting *some* sites because they would fix the issue (the same sites that got pwned in the first place), but i see now that you weren't implying that at all. my bad.

    • by jrumney (197329)

      Avoiding them would seem to be a priority.

      1. slashdot.org
      2. ....

      Too late!

    • Re:Why? (Score:4, Interesting)

      by dotancohen (1015143) on Thursday May 09, 2013 @02:03AM (#43672633) Homepage

      Why isn't there a list of infected sites? Avoiding them would seem to be a priority.

      Here is how to make sure you are not one of the infected sites: Compile and run this:
      http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.c [welivesecurity.com]

      If you don't want to vet that, you can get a first-aproximation with "ipcs", just look for the Apache PID, which you can get from "ps aux | grep apache2".

  • Name the 50 sites (Score:5, Insightful)

    by PNutts (199112) on Wednesday May 08, 2013 @09:28PM (#43671529)

    The actual quote is, "50 are ranked in Alexa’s top 100,000 most popular websites." Quite different than the summary but would still be interesting to know.

  • Why is this hard to detect if you're monitoring the checksums on your server binaries?
  • by Skapare (16644) on Wednesday May 08, 2013 @09:49PM (#43671629) Homepage

    We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.

    So does this mean I need to remove sshd? Doubtful. More likely the initial vector is social engineering or weak passwords (social stupidity). That makes this whole infection uninteresting ... it's just an app from the web server perspective. OK, so it can break into your browser with a zero-day. Fix the browser.

    • by phantomfive (622387) on Wednesday May 08, 2013 @10:42PM (#43671839) Journal

      So does this mean I need to remove sshd?

      No, it means you need a more complicated password.

      And it seems to be just a guess, they probably came to 'sshd' by following a line of reasoning starting with the only thing they could think of that all the hacked servers have in common.

    • by lgftsa (617184) on Wednesday May 08, 2013 @11:18PM (#43672015)

      Worried about exposed sshd? Install pam-abl and watch the brute force attackers waste their time. With my config, three failures from any IP address in an hour (or 6 per day) and that IP is locked out for a week through PAM. They can still try, of course, but even if they somehow guess the correct password, it must be in their first three guesses each week.

      There's no indication to the attacker that pam-abl is there, and there's very little chance of a DOS attack against legitimate logins.

      Oh, and you've denied root logins from the internet, haven't you?

      Warning: Source tarball, but if I debian-ized it, then anyone can.

      • Re: (Score:3, Informative)

        by thetoastman (747937)

        There are quite a number of ways to harden access

        1. pam-abl (as noted above)
        2. denyhosts
        3. VPN (openvpn works for me)
        4. Hosting ISP firewall

        Also as noted above, do not permit direct remote root access. Doing anything less is just advertising yourself as a platform for malware.

        The first three are quite easy to set up. There is really no excuse for not setting up a least a minimum level of security on your system. That plus careful use of mod_security, and you've done quite a bit towards thwarting the cas

        • by Trogre (513942)

          Here's what I do:

          1. Have sshd listen on a non-standard port (ie NOT 22)
          2. apt-get install fail2ban - lock the
          3. Use pam_listfile to whitelist what accounts can log in with SSH
          4. Explicitly disable SSH root access in sshd_config

      • They have vast botnets, once an IP gets blocked, they just continue from the next IP. I haven't seen brute forcing coming from the entire botnet by default myself, but I'm sure there are crackers that have figured this out by now. You're merely obfuscating the weakness with your solution. Sure, it's effective against quite a few types of drive-by attacks, but the only solution is to stop accepting passwords and require PKI for ssh auth.
      • Worried about exposed sshd? Install pam-abl and watch the brute force attackers waste their time.

        Thanks for the link to pam-abl. That was the first I'd heard of it. Neat module.

        Personally, I've always gone with

        RSAAuthentication yes
        PubkeyAuthentication yes
        PasswordAuthentication no

        and I sleep well at night. Although I have to admit, I sure see an assload of this type of crap in the logs:

        May 9 11:12:38 imap sshd[15366]: reverse mapping checking getaddrinfo for ras-185-151.wntpr.net [196.12.185.151] failed - POSSIBLE BREAK-IN ATTEMPT!
        May 9 11:12:38 imap sshd[15366]: Invalid user matt4 from 196.12.185.151

        • Although I have to admit, I sure see an assload of this type of crap in the logs:

          The simple solution there is to move SSH off of the default port (of 22) and to some other port in the 1-1024 range. You'll end up with a lot less crap in the log files as a result.

          Which makes it easier to see the real threats because they aren't camouflaged by hundreds of other errors in the logs.
      • by Lost Race (681080)

        Yeah, you could do that, or you could change to a non-standard port. In my ten years of running sshd on a non-standard port on several public servers I've been hit by exactly 0 (zero) probes on that port.

        Obscurity for the security win!

    • So does this mean I need to remove sshd?

      I got an e-mail in my spam folder last week so I pulled all the hard disks.
      Unlike you other lameoids, my server aints gettin hacked.

    • So does this mean I need to remove sshd?

      No, but if you can you should disable pasword authentication.

    • So does this mean I need to remove sshd?

      Any public side SSH service where you are only using SSH for administration of the machine should be:

      1) Disallowing password-based authentication. Use only SSH key pairs instead for authentication. Now the attacker also needs to steal your private SSH key (and possibly find out the password as well). You've just made it a lot more difficult for them.

      2) Moved to an alternate port. This doesn't make you immune to attacks, but it does mean that you'll see less
  • Fix (Score:5, Funny)

    by Frankie70 (803801) on Wednesday May 08, 2013 @09:56PM (#43671659)

    You can download a fix here [iis.net].

    • Re: (Score:1, Funny)

      by Anonymous Coward

      Yes, indeed. Why suffer from this minor malware when you could have all the best ones infecting you? Lightweights!

    • At first it made me laugh... but then wondered... maybe you were serious after all??
  • by Anonymous Coward

    is this for cpanel or apache?

    • by fazey (2806709)
      ... What?
      The intruder is backdooring the binaries. It has nothing to do with cPanel. Not to mention cPanel runs easyapache, but if it became an intended target, im sure it could be infected just the same...
      • By "backdooring the binaries", I can change the operating system or any software of any system. So a system gets rooted, and bad wares can be installed. Bear shits in the woods, story at 11.

    • by c0lo (1497653)

      is this for cpanel or apache?

      TFA [net-security.org]

      "We still don’t know for sure how this malicious software was deployed on the web servers," the researchers admit. "We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software."

  • by Anonymous Coward

    Only 2 weeks back, when this was reported everyone blamed cPanel. Now that exposures in NGNIX and LighHTTPD have been found, comments (guesses) as to the attack method are proposed, but very few realistic ideas. TFA seems to indicate that it's more pervasive than many of the people commenting want to believe. I'm just waiting for them to find IIS infected as well.

  • by gmuslera (3436) on Wednesday May 08, 2013 @10:15PM (#43671733) Homepage Journal

    Those servers somewhat (i.e. a vulnerable web app, weak ssh passwords, local privilege escalation on a shell got in in some way, or a combo of all of those) got rooted, and instead of modifying web pages (easier, but also easier to detect and fix), replacing the entire web server (easier to detect or to roll back) or changed the configuration of i.e. mod_rewrite modules (that with a configuration manager could had been detected/roll back to the original one). got some new modules replaced/added, modules that in particular had that functionality.

    Is nothing particulary new in this, more than the malware authors not being just script kiddies and actually did some serious programming for it. Somewhat I hope that they give back to the community releasing the source, not the malware backdoor itself, but with a modified, non malware version with an useful use (i.e. something that dynamically blacklists IPs/useragents/languages for actions, receiving the input from another kind of system, like a honeywords [slashdot.org] service) if not available yet.

  • by Anonymous Coward

    If they'd used Linux instead, this wouldn't have happened.

    • Oh you mean if MS wouldn't have existed, many people wouldn't have converted themselves to virus makers and the world would be better?
  • screw it (Score:5, Funny)

    by clam666 (1178429) on Wednesday May 08, 2013 @11:22PM (#43672031)
    I knew this was a mistake. Secure my ass. I'm going back to Windows.

CCI Power 6/40: one board, a megabyte of cache, and an attitude...

Working...