Apache attack drives traffic to malware A security researcher is warning that an attack on the Apache Web server is increasingly showing up in the wild, and has published a free Python tool to check their configurations. The attack is designed to avoid leaving disk footprints, according to this post analysing the backdoor. It exists as a modified httpd file that …
.... This really tells us nothing, just like the last post about this which was as equally vague.
No-one has explained anywhere how this "malware" gets onto my server in the first place. Apache config can only be updated by root. Apache services can only be restarted by root. Apache does not run as root....
I found the article on Ars (http://arstechnica.com/security/2013/04/admin-beware-attack-hitting-apache-websites-is-invisible-to-the-naked-eye/) a bit more informative. The comments are also a good read.
cPanel has been a thorn in the side for years, but it is (somewhat) useful.
We've been hit by plesk vulnerabilities before, right now the pros still outweigh the cons. But I'm open for suggestions by anyone to replace it with something less prone to attacks.
As advertised e.g. at the German online IT publication www.heise.de, this attack is based on cPanel installations running on top of Apache webservers, refering to the original discovery made by Sucuri:
http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html
A detailed study of the mechanisms of the backdoor can be found at:
http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
