dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
886
share rss forum feed


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5

2 recommendations

Apache malware found in the wild

At the time of writing, the ESET Livegrid monitoring system is showing hundreds of webservers that seem to be affected by this backdoor with thousands of visitors being redirected to malicious content. We will publish more information on the scale and complexity of this operation in the days to come.

Our analysis of this malware, dubbed Linux/Cdorked.A, reveals that it is a sophisticated and stealthy backdoor meant to drive traffic to malicious websites. We urge system administrators to check their servers and verify that they are not affected by this threat. Detailed instructions to perform this check are provided below.

»www.welivesecurity.com/2013/04/2···ackhole/
--
Show off that hardware: join Team Discovery and Team Helix

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel

The article isn't really clear (either that or I'm just not smart enough to fully understand it), but what is the mechanism by which an Apache server becomes infected with this malware? Or is the backdoor being talked about something that pre-exists in Apache and is being exploited?

Also, there is no mention of which versions of Apache are affected/vulnerable? Or is it all versions?



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

Any comments or queries may be posted to the article via Disqus


TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel

said by siljaline:

Any comments or queries may be posted to the article via Disqus

Yet ANOTHER service to sign up for and yet ANOTHER password to remember.

No thanks.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

Such is social commenting, et alia.

The article author or person(s) responsible - would be happy to hear from you.



norwegian
Premium
join:2005-02-15
Outback
reply to TheMG

said by TheMG:

Also, there is no mention of which versions of Apache are affected/vulnerable? Or is it all versions?

From my understanding it is http communicated on cPanel-based Apache servers.

quote:
However, during the last few months we started to see a change on how the injections were being done. On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one.
quote:
As mentioned before, Linux/Cdorked does not write any files on the disk. Instead, it allocates around six megabytes of shared memory to keep its state and configuration information. This memory block, a POSIX shared region of memory (shm), is used by all Apache subprocesses but can also be accessed by any other process since the malware authors didn’t limit its permission.
But for your specific needs, I can understand your want to see more clarification.

quote:
Linux/Cdorked.A Remediation

As previously mentioned, the permissions on the shared memory allocation are loose. This allows other process to access to memory. We have made a free tool (dump_cdorked_config.py) to allow systems administrators to verify the presence of the shared memory region and dump its content into a file. We also recommend using debsums for Debian or Ubuntu systems and `rpm –verify` for RPM based systems, to verify the integrity of your Apache web server package installation. (However, remember to temper this advice with the reality that the package manifest could have been altered by an attacker.) Checking for the presence of the shared memory is the recommended way to make sure you are not infected. We would be interested in receiving any memory dumps for further analysis.

At the time of writing, the ESET Livegrid monitoring system is showing hundreds of webservers that seem to be affected by this backdoor with thousands of visitors being redirected to malicious content. We will publish more information on the scale and complexity of this operation in the days to come.
quote:
Detection

In our previous posts, we recommended the utilization of tools like “rpm -Va” or “rpm -qf” or “dpkg -S” to see if the Apache modules were modified. However, those techniques won’t work against this backdoor. Since cPanel installs Apache inside /usr/local/apache and does not utilize the package managers, there is no single and simple command to detect if the Apache binary was modified.

They also keep the same timestamp on the binary, so you can’t see by the date of the file. A good and reliable way to identify the modified binary is by searching for “open_tty” on the httpd directory:

# grep -r open_tty /usr/local/apache/

If it finds open_tty in your Apache binary, it is likely compromised, since the original Apache binary does not contain a call to open_tty. Another interesting point is that if you try to just replace the bad binary with a good one, you will be denied, because they set the file attribute to immutable. So you have to run chattr -ai before replacing it:

# chattr -ai /usr/local/apache/bin/httpd
Maybe ask ESET themselves via email?

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to markofmayhem

Apache binaries replaced by stealth malcious ones:
»www.virusbtn.com/news/2013/04_30.xml



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to markofmayhem

More informative links to add to thread:
• »www.csoonline.com/article/732537···-attacks
• »www.theregister.co.uk/2013/04/30···ability/
• »news.techworld.com/security/3444···malware/
• »www.v3.co.uk/v3-uk/news/2264874/···r-attack