markofmayhemWhy not now? Premium Member join:2004-04-08 Pittsburgh, PA
2 recommendations |
Apache malware found in the wildAt the time of writing, the ESET Livegrid monitoring system is showing hundreds of webservers that seem to be affected by this backdoor with thousands of visitors being redirected to malicious content. We will publish more information on the scale and complexity of this operation in the days to come.
Our analysis of this malware, dubbed Linux/Cdorked.A, reveals that it is a sophisticated and stealthy backdoor meant to drive traffic to malicious websites. We urge system administrators to check their servers and verify that they are not affected by this threat. Detailed instructions to perform this check are provided below. » www.welivesecurity.com/2 ··· ackhole/ |
|
TheMG Premium Member join:2007-09-04 Canada MikroTik RB450G Cisco DPC3008 Cisco SPA112
|
TheMG
Premium Member
2013-Apr-26 7:34 pm
The article isn't really clear (either that or I'm just not smart enough to fully understand it), but what is the mechanism by which an Apache server becomes infected with this malware? Or is the backdoor being talked about something that pre-exists in Apache and is being exploited?
Also, there is no mention of which versions of Apache are affected/vulnerable? Or is it all versions? |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
Any comments or queries may be posted to the article via Disqus |
|
TheMG Premium Member join:2007-09-04 Canada MikroTik RB450G Cisco DPC3008 Cisco SPA112
|
TheMG
Premium Member
2013-Apr-26 8:31 pm
said by siljaline:Any comments or queries may be posted to the article via Disqus Yet ANOTHER service to sign up for and yet ANOTHER password to remember. No thanks. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
Such is social commenting, et alia.
The article author or person(s) responsible - would be happy to hear from you. |
|
norwegian Premium Member join:2005-02-15 Outback |
to TheMG
said by TheMG:Also, there is no mention of which versions of Apache are affected/vulnerable? Or is it all versions? From my understanding it is http communicated on cPanel-based Apache servers. quote: However, during the last few months we started to see a change on how the injections were being done. On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one.
quote: As mentioned before, Linux/Cdorked does not write any files on the disk. Instead, it allocates around six megabytes of shared memory to keep its state and configuration information. This memory block, a POSIX shared region of memory (shm), is used by all Apache subprocesses but can also be accessed by any other process since the malware authors didnt limit its permission.
But for your specific needs, I can understand your want to see more clarification. quote: Linux/Cdorked.A Remediation
As previously mentioned, the permissions on the shared memory allocation are loose. This allows other process to access to memory. We have made a free tool (dump_cdorked_config.py) to allow systems administrators to verify the presence of the shared memory region and dump its content into a file. We also recommend using debsums for Debian or Ubuntu systems and `rpm verify` for RPM based systems, to verify the integrity of your Apache web server package installation. (However, remember to temper this advice with the reality that the package manifest could have been altered by an attacker.) Checking for the presence of the shared memory is the recommended way to make sure you are not infected. We would be interested in receiving any memory dumps for further analysis.
At the time of writing, the ESET Livegrid monitoring system is showing hundreds of webservers that seem to be affected by this backdoor with thousands of visitors being redirected to malicious content. We will publish more information on the scale and complexity of this operation in the days to come.
quote: Detection
In our previous posts, we recommended the utilization of tools like rpm -Va or rpm -qf or dpkg -S to see if the Apache modules were modified. However, those techniques wont work against this backdoor. Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.
They also keep the same timestamp on the binary, so you cant see by the date of the file. A good and reliable way to identify the modified binary is by searching for open_tty on the httpd directory:
# grep -r open_tty /usr/local/apache/
If it finds open_tty in your Apache binary, it is likely compromised, since the original Apache binary does not contain a call to open_tty. Another interesting point is that if you try to just replace the bad binary with a good one, you will be denied, because they set the file attribute to immutable. So you have to run chattr -ai before replacing it:
# chattr -ai /usr/local/apache/bin/httpd
Maybe ask ESET themselves via email? |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to markofmayhem
Apache binaries replaced by stealth malcious ones: » www.virusbtn.com/news/20 ··· 4_30.xml |
|
siljaline |
to markofmayhem
|
|