Sophisticated Apache Backdoor In the Wild

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

This discussion has been archived. No new comments can be posted.

Sophisticated Apache Backdoor In the Wild

Load All Comments

Search 108 Comments Log In/Create an Account

Comments Filter:

Wow (Score:5, Insightful)

by Dr. Evil ( 3501 ) writes:

"other than a modified 'httpd' file,"
It's completely invisible, as long as you're blind.
- Re: (Score:5, Insightful)
  
  by Synerg1y ( 2169962 ) writes:
  
  when was the last time you checked your httpd file?
  - Re:Wow (Score:4, Informative)
    
    by Poeli ( 573204 ) writes: on Monday April 29, 2013 @12:22PM (#43581607)
    
    rpm -V httpd ?
    Not that difficult to put in a cron job.
    
    Parent Share
    twitter facebook
    - Re:Wow (Score:4, Interesting)
      
      by ArchieBunker ( 132337 ) writes: on Monday April 29, 2013 @12:27PM (#43581667) Homepage
      
      Who even does that in the first place? OpenBSD gives you a daily email containing all changes to config files that have occurred.
      
      Parent Share
      twitter facebook
      - Re:Wow (Score:5, Informative)
        
        by larry bagina ( 561269 ) writes: on Monday April 29, 2013 @12:35PM (#43581747) Journal
        
        httpd isn't a config file; it's the apache executable. Tripwire or other such utilities would catch it.
        
        Parent Share
        twitter facebook
    - Re:Wow (Score:5, Informative)
      
      by ShaunC ( 203807 ) writes: on Monday April 29, 2013 @01:25PM (#43582283)
      
      rpm -V httpd ?
      That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.
      
      Parent Share
      twitter facebook
      - Re:Wow (Score:5, Insightful)
        
        by h4rr4r ( 612664 ) writes: on Monday April 29, 2013 @01:47PM (#43582577)
        
        The solution to this is be a big boy and don't use cPanel.
        
        Parent Share
        twitter facebook
    - Re:Wow (Score:4, Informative)
      
      by c0lo ( 1497653 ) writes: on Tuesday April 30, 2013 @12:08AM (#43587469)
      
      rpm -V httpd ?
      Not that difficult to put in a cron job.
      Cited FA [sucuri.net]:
      In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.
      Yeah, you'd be vulnerable if your apache installation is done using cpanel (as many hosting providers are).
      
      Parent Share
      twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Sophisticated Apache Backdoor In the Wild More Login

Sophisticated Apache Backdoor In the Wild

Wow (Score:5, Insightful)

Re: (Score:5, Insightful)

Re:Wow (Score:4, Informative)

Re:Wow (Score:4, Interesting)

Re:Wow (Score:5, Informative)

Re:Wow (Score:5, Informative)

Re:Wow (Score:5, Insightful)

Re:Wow (Score:4, Informative)