Kansas City, MO
apache 2.2.22 vector for Darkleech malware?
Just saw this at ars tech
The ongoing attacks, estimated to have infected 20,000 websites in the past few weeks alone, are significant because of their success in targeting Apache, by far the Internet's most popular Web server software. Once it takes hold, Darkleech injects invisible code into webpages, which in turn surreptitiously opens a connection that exposes visitors to malicious third-party websites, researchers said. Although the attacks have been active since at least August, no one has been able to positively identify the weakness attackers are using to commandeer the Apache-based machines.
·Verizon Online DSL
This has been going on for months now, and I'm not too sure that the exploit is Apache's fault given that numerous versions from 2.2.22 and up are serving up the poison. My guess, as well as others, is that Darkleech (an actual rogue Apache add-on module) is getting copied into servers via other exploits.
Among the popular suspects are hacks into old CMS systems, buggy scripts, purloined passwords and most likely, SQL injections. Given that this script runs across numerous instances, it must be running with root privileges, and most webmasters are limited accounts. There is also a major SSH daemon exploit on Linux boxes that provides just the means to break in and remain persistent on these systems. The majority of infected systems are running Linux, and the SSHD fix has only occurred recently on that platform.
Although there's no official finger pointing at the cause, Apache is only serving up what it's being told to in its configuration. I don't think that's the problem.
Kevin McAleavey, Co-founder, The KNOS Project.
"For folks who still need a reliable desktop machine in an age of consumption devices."