Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Apache

Sophisticated Apache Backdoor In the Wild 108

An anonymous reader writes "ESET researchers, together with web security firm Sucuri, have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor being used to drive traffic to malicious websites carrying Blackhole exploit packs. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far. The Linux/Cdorked.A backdoor does not leave traces on the hard-disk other than a modified 'httpd' file, the daemon (or service) used by Apache. All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis."
This discussion has been archived. No new comments can be posted.

Sophisticated Apache Backdoor In the Wild

Comments Filter:
  • by iggymanz ( 596061 ) on Monday April 29, 2013 @11:11AM (#43581525)

    Only cpanel apaches vulnerable and modified httpd easily found by grep'ing a string?

    *yawn*

    • by Eunuchswear ( 210685 ) on Monday April 29, 2013 @11:16AM (#43581567) Journal

      Yeah, and I'm sure you could fix it with an apropriate hosts file.

      • by Anonymous Coward

        Yeah, and I'm sure you could fix it with an apropriate hosts file.

        LAWLZLAWLZLAWLZ

      • Or a Privoxy rule: [Redacted] (Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition.)

        Doh. It's not like commenters on a nerd site want to post code-like text that may contain repetition.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      No, all apaches are vulnerable - if the binary is replaced in this way. cPanel doesn't use packaged binaries for apache, and therefore you can't spot if you've been hacked *by simple use of the package manager*.

      • by The Mighty Buzzard ( 878441 ) on Monday April 29, 2013 @11:38AM (#43581771)
        All everything is vulnerable if the binary is replaced. There's exactly jack and shit sophisticated about replacing binaries.
      • According to the threads I read, all are vulnerable. Since the binary is not changed on disk, vidating checksums won't detect this. They really did not go into much detail in any of the reading I got following TFA three levels deep. No versions, no rigs, no mods, etc.. Did you read outside of TFA that it was CPA el only? Sittin in the dr office now, have to read more when back at the office.
    • by KiloByte ( 825081 ) on Monday April 29, 2013 @11:45AM (#43581827)

      It's a cpanel vulnerability, Apache is merely modified by the payload to help it spread. Seriously, giving a web server process root -- what the hell are those guys thinking?

      • by Lumpy ( 12016 ) on Monday April 29, 2013 @12:11PM (#43582135) Homepage

        Bingo.

        That is why this thing is overhyped. Yes it's a problem but only on grossly msiconfigured servers. They might as well left the Root password as "password"

      • Well, it was good enough for Microsoft...
      • by tibman ( 623933 )

        What distro ships apache as root? Haven't seen it in a looong time

      • by IMightB ( 533307 )

        I worked at an ISP using cPanel for a couple hundred shared servers... Let me just say that cPanel is the biggest hunk of crap out there. It is poorly written with no attention paid to security. It is squarely aimed at end-users who have no clue about system administration and has a penchant for letting those same people shoot themselves in the foot as often as possible. cPanel, for instance, lets you format/partition hard drives via the gui without much in the way of instructions or warnings rega

        • it's just to bad that it doesn't fire an actual bullet into their foot or at least zap em good when they screw up. Might help educate some of those damn PEBKAC issues

  • by geek ( 5680 ) on Monday April 29, 2013 @11:12AM (#43581531)

    Getting Cdorked in the backdoor sounds painful.

  • Another Link (Score:4, Informative)

    by Anonymous Coward on Monday April 29, 2013 @11:13AM (#43581539)

    Here's another link [welivesecurity.com] about this issue.

    Seems systems with cPanel installed are getting hit with this. Better get a hash of your current apache executable so you can easily check it down the road.

  • Wow (Score:5, Insightful)

    by Dr. Evil ( 3501 ) on Monday April 29, 2013 @11:14AM (#43581543)

    "other than a modified 'httpd' file,"

    It's completely invisible, as long as you're blind.

    • Re:Wow (Score:5, Insightful)

      by Synerg1y ( 2169962 ) on Monday April 29, 2013 @11:17AM (#43581573)

      when was the last time you checked your httpd file?

      • Re:Wow (Score:4, Informative)

        by Poeli ( 573204 ) on Monday April 29, 2013 @11:22AM (#43581607)

        rpm -V httpd ?

        Not that difficult to put in a cron job.

        • Re:Wow (Score:4, Interesting)

          by ArchieBunker ( 132337 ) on Monday April 29, 2013 @11:27AM (#43581667)

          Who even does that in the first place? OpenBSD gives you a daily email containing all changes to config files that have occurred.

        • Re:Wow (Score:5, Informative)

          by ShaunC ( 203807 ) on Monday April 29, 2013 @12:25PM (#43582283)

          rpm -V httpd ?

          That won't work for this particular attack surface, because cPanel installs Apache itself and doesn't use a package manager. As far as rpm is concerned, Apache isn't installed to verify.

        • Re:Wow (Score:4, Informative)

          by c0lo ( 1497653 ) on Monday April 29, 2013 @11:08PM (#43587469)

          rpm -V httpd ?

          Not that difficult to put in a cron job.

          Cited FA [sucuri.net]:

          In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.

          Yeah, you'd be vulnerable if your apache installation is done using cpanel (as many hosting providers are).

      • Re:Wow (Score:5, Informative)

        by lky ( 246353 ) on Monday April 29, 2013 @11:28AM (#43581685)

        when was the last time you checked your httpd file?

        If you're using tripwire or another similar tool and its properly configured, then you should be notified of file changes.

        As long as you're paying attention, this doesn't seem like much of an issue.

      • by DrYak ( 748999 ) on Monday April 29, 2013 @11:49AM (#43581881) Homepage

        rkhunter and chkrootkit as a quick example.
        two tools which are more or less set and forget, and which also target workstation users.
        (Done in background periodically, no interaction required, except running a small command after an update to avoid triggering false positive in one case)

        Probably hundreds of sysadmin-oriented tools can do it too.

        (checking files for modification is a very sane step to protect against corruption and possible compromise)

        having the /usr mount read-only and only /var, /tmp & co read-write is a rather sane measure which is also wide spread (not only on big server farms, on the technical grounds that the /usr might be served over the network. but even some smart-phone do it, webOS for example)

        On the other hand, a trojan targeting Linux is a proof that Linux server *are* a very valuable infection target, and lower markter share at the desktop isn't the only valid argument explaining the scarcity of Linux viruses.

      • when was the last time you checked your httpd file?

        This morning, debsum and rkhunter didn't report anything that requires attention.

      • by jrumney ( 197329 )

        Mine is checked daily by debsums, along with all other binaries.

    • chattr +i anyone?

      just unchattr when you need to update httpd/apache

      more interesting is where the hole/holes are in cpanel

      • by Anonymous Coward

        Interestingly enough the modified httpd is apparently write protected the same way. At least according to a google translation of a new article referenced from the wikipedia article on cPanel. http://en.wikipedia.org/wiki/CPanel#cite_note-11

      • by MoFoQ ( 584566 )

        interesting, the backdoor uses chattr

        • Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.

          • Which of course makes for easy detection (lsattr -R), if you don't use chattr yourself.

            Exactly. Almost all rooted servers I've seen have the modified binaries (that hide things) made immutable. Insanely stupid. I don't know anyone that uses immutability for anything under normal circumstances so immutable files will stand out.

            A daily scan like this:

            find / -type f -exec lsattr -a {} \; | grep -- '----i'

            will find all immutable files on your system.

            Run it from a crontab and you'll get notified by mail. It produces no output when it doesn't find anything so you'll only get a mail when something i

  • by Anonymous Coward

    How are they gaining access to the server to install their malicious software?

  • by dmomo ( 256005 ) on Monday April 29, 2013 @11:20AM (#43581599)

    This looks like a module for apache that, while sinister and clever, must be installed like any other module. Presumable, unless I'm missing something, this requires root access. If this so called "back door" (debatable) is on a system where it shouldn't be there is a bigger question on how was access to install it obtained it the first place.

    • Did you RTFA? This is not an apache module.
      • by dmomo ( 256005 )

        I did. I probably over-read because I got caught up in 3 other articles about the subject. I'm sorry about the confusion. My main point stands. The real issue is that this requires an insecure system in the first place.

    • by Nyder ( 754090 )

      This looks like a module for apache that, while sinister and clever, must be installed like any other module. Presumable, unless I'm missing something, this requires root access. If this so called "back door" (debatable) is on a system where it shouldn't be there is a bigger question on how was access to install it obtained it the first place.

      Yes, sort of confusing. What I gained from the various articles is that by visiting a malicious webpage on a compromised server, it will try to install the backdoor thru whatever methods it has. What they aren't that specific on is how they manage to replace the apache executable. But since it seems there isn't a standard way to tell if apache is infected, that is sort of stupid.

      But other then that, it sounds a bit clever.

      • by Anonymous Coward

        We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.

        They didn't really find a backdoor in Apache, rather they found a modified httpd with some interesting new features installed on otherwise compromised servers. It's not an Apache problem. If you keep your servers secure in first place, you won't have this problem.

  • by Anonymous Coward

    other than a modified 'httpd' file.

    That seems like a pretty significant trace. Check the MD5 yourself. You can check it with 'debsums', you don't even have to set it up unlike tripwire [sourceforge.net].

  • Back in the day, people broke into servers for fun.

    Now, people break into servers to serve advertising.

    Soon, people will break into servers to drop bitcoin miners on them.

    I guess now we know where the real money is: ad impressions. What Ad networks serve ads to the cracker community?

  • by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Monday April 29, 2013 @11:32AM (#43581721) Homepage

    Surely detection is pretty easy if the httpd binary has been modified, most distributions already have features to check the binaries on a system against known checksum lists from the packages they were installed from, so a modified httpd would stick out like a sore thumb.

    • by Anonymous Coward

      Given that you didn't mention what tools you could use to compare the checksums to the package tells me that you, and most others aren't checking packages on a regular basis.

  • "Apache Backdoor in the Wild"

    Am I the only one who initially pictured a rear entrance to a teepee in the countryside?

  • Maybe I missed it, but I don't see any details on how httpd gets compromised in the first place? Is there a zero-day vulnerability in apache that allows itself to be overwritten?

  • by dgharmon ( 2564621 ) on Monday April 29, 2013 @04:45PM (#43585227) Homepage
    "ESET researchers .. have been analyzing a new threat affecting Apache webservers. The threat is a highly advanced and stealthy backdoor .. Researchers have named the backdoor Linux/Cdorked.A, and it is the most sophisticated Apache backdoor seen so far"

    How does this advanced threat get onto the Apache webservers in the first place?
  • by Anonymous Coward

    What is with the hyper-sensationalized reports of "advanced and stealthy" Apache vulnerabilities lately? First darknet, now Cdorked? It is clearly FUD, as even the least competent systems administrator could confirm.... Neither of these security issues have anything at all to do with Apache except that they target the Apache binaries for modification.

    The only vulnerability here is that for some reason you allowed your server to get rooted. Neither of these attacks can be carried out without root access,

  • Isn't Apache Open Source?

    Isn't Open Source the only way to prevent this stuff from getting into the wild?

    Are we totally screwed because our last best hope hopeless?

    • by ruir ( 2709173 )
      As if proprietary software also hasn't bigger problemsopen source is supposed to mitigate this problems, and improve the quality of software.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Well according to the above comments the vulnerability comes from CPanel, which isn't open source.

    • They are getting root so that they can install their hacked Apache binary by exploiting holes in Cpanel. Which is closed source.

news: gotcha

Working...