back to article Stealthy, malware-spewing server attack not limited to Apache

A mysterious backdoor that has been used to drive traffic to malicious websites may be more widespread than previously thought, security researchers say, and it affects more web servers than just Apache. The malware – which has been dubbed "Linux/Cdorked.A" or "Darkleech," depending whom you ask – was first spotted in the wild …

COMMENTS

This topic is closed for new posts.
  1. Jamie Jones Silver badge
    WTF?

    root?

    For a binary such as httpd to be rewritten, either the attacker has managed to get root access, or the servers have been set up by idiots.

    Do people really run servers under the same id that own the binary files?

    1. Anonymous Coward
      Anonymous Coward

      Re: root?

      Could be a that a repository mirror has been infected with it or something along those lines, and the apache install has always been infected.

    2. Crazy Operations Guy

      Re: root?

      They sure do. I have seen it far too often, you get some idjit that believes that Linux server are invulnerable and also thinks that 'chown', 'chmod' and even 'sudo' are deep wizardry and never uses them instead opting to run everything as root.

      The most common reason I see is that they installed some extension or library that requires more permissions than what the service account has so rather than sitting down a figuring out how to allow the additional permissions, they just run under root because it works.

    3. Ben Tasker

      Re: root?

      The bit that gets me is the "hard to detect" claim. If the httpd binary changes, I get alerts. Its not the only thing checked, but on a production server the only way it should legitimately change is if I run an update and/or recompile.

      Until cdorked hit the news, I'd assumed it was standard practice to keep checksums of things you don't expect to change. Either people haven't bothered or they're ignoring alerts!

      1. as2003

        @Ben Tasker

        "All of the data related to the backdoor is held in shared memory and never touches the disk."

        (which just raises more questions that it answers...)

        1. Ben Tasker

          Re: @as2003

          Yes, but to do that the HTTPD binary is modified. So although there's only one change on disk, it's made to a file you expect never to change (unless you've updated etc.).

      2. Anonymous Coward
        Anonymous Coward

        Re: root?

        Or more likely, someone exploited one of the over 900 known and presumably many more unknown exploits in the Linux kernel....

  2. Anonymous Coward
    Linux

    Not surprising Apache hacked?

    "Given that Apache, Lighttpd, and Nginx are all open source software, it's not surprising that the attackers behind Cdorked were able to insert their backdoor code into all three."

    I don't understand, are you suggesting that the Apache source repositories were compromised?

    "What is curious, however, is how they managed to smuggle their Trojanized versions onto active servers"

    They didn't, they hacked Cpanel-based servers ..

    "not to mention what they hope to achieve by it".

    Redirecting users to porn and gambling sites to generate hits ..

    1. Crazy Operations Guy

      Re: Not surprising Apache hacked?

      It was determined that it wasn't cPanel as mentioned in the article. As for how they got it in, I would assume they downloaded source for all three, compiled and are copying/replacing the binaries to infect the victims.

      1. Tom Samplonius
        Stop

        Re: Not surprising Apache hacked?

        "As for how they got it in, I would assume they downloaded source for all three, compiled and are copying/replacing the binaries to infect the victims."

        That doesn't how they got in either. The speculation among security researchers is something quite simple: ssh brute force attacks against the root account.

        1. Anonymous Coward
          Linux

          SSH brute force attacks ..

          "The speculation among security researchers is something quite simple: ssh brute force attacks against the root account"

          "DarkLeech .. infected the servers with an SSHD backdoor"

          1. Anonymous Coward
            Anonymous Coward

            Re: SSH brute force attacks ..

            Glad my websites are on Windows Server....

            1. nuked
              Joke

              Re: SSH brute force attacks ..

              You got the wrong icon.

            2. oolor
              Linux

              Re: SSH brute force attacks ..

              AC 11:29

              Is that you Eadon?

        2. Dom 3

          Re: Not surprising Apache hacked?

          The way this story has been reported and commented on is completely doing my nut. If you go back to the original sucuri.net post then you will see that what they are reporting is new behaviour by Bad Peepulz ONCE THEY HAVE TAKEN CONTROL OF A SERVER. They are NOT reporting a new vulnerability in the server stack.

          And it is, essentially, nothing to do with cPanel, or Apache.

          Nor does there seem to be ANY evidence for SSH brute force as being the way in.

          If you want root on a server (and you're not fussed which) it is a piece of piss. Scan the web looking for out-dated tim thumb implementations, or phpmyadmin installations with no root password, or whatever. Upload your shell. Now, out of all the servers you have collected, you are bound to find a few where the kernel is year or two out of date and there's a privilege escalation exploit available.

    2. Tom Samplonius
      Stop

      Re: Not surprising Apache hacked?

      > They didn't, they hacked Cpanel-based servers ..

      You should probably the read the article before linking to it. It doesn't say that only cPanel servers are being hacked, or they were hacked due to vulnerability in cPanel. It states that the "httpd" binary is being replaced on cPanel based servers, as opposed to installing a separate Apache module.

      Here is the article: http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html

  3. sgtrock
    FAIL

    You're joking, right?

    "Given that Apache, Lighttpd, and Nginx are all open source software, it's not surprising that the attackers behind Cdorked were able to insert their backdoor code into all three."

    Since when have FLOSS servers been the ones who have been most at risk? I STRONGLY advise a retraction of this obviously wrong and inflammatory statement. FLOSS has been shown again and again and again to be both more secure and the project teams have been MORE responsive to security vulnerabilities than all of their closed source competitors.

    Don't believe me? A quick visit to

    http://scan.coverity.com

    will quickly demonstrate just how wrong this position is.

    1. Neil McAllister

      Re: You're joking, right?

      No, it's you who are joking, right?

      If you have access to the source code to some software, it's trivial to insert a backdoor and compile a binary from your modified source. You couldn't do that with software for which you only have binaries. There's nothing inflammatory about these facts.

      The question is, how did these modified binaries replace the legitimate binaries on the infected servers? Presumably that requires root access. How it happened is what we don't know yet. They thought it was a cPanel vulnerability at first, but that no longer seems to be the case.

      1. Allan George Dyer
        Boffin

        Can you both just stop the Open/Closed wars? Re: You're joking, right?

        Having the source code makes it easy to add extra source (Duh!), but, guess what? It's well-known how to modify arbitrary binaries, and even easier to get a fake DLL loaded. Virus writers have been doing that for years with PEs, and kits are available.

        While you're scrapping about which is more secure, the bad guys have got their act together and are using both: targeting the most popular web servers (FLOSS) to deliver malware to the most popular desktops (Windows).

    2. TheVogon
      Mushroom

      Re: You're joking, right?

      "Since when have FLOSS servers been the ones who have been most at risk"

      Every year without fail since about 1984 when Bill Gates made Microsoft's #1 priority to be security. Possibly you are right about other closed source systems, but Windows has consistently had fewer and less serious vulnerabilities that were fixed faster with fewer days at risk than equivalent enterprise Linux based Open Source stacks....

      http://www.zdnet.com/linux-trailed-windows-in-patching-zero-days-in-2012-report-says-7000011326/

      http://blogs.technet.com/b/security/archive/2008/10/28/download-h1-2008-desktop-vuln-report.aspx

      http://blogs.technet.com/b/security/archive/2006/07/13/441386.aspx

      This is why server defacement statistics show that Windows Server is much less likely to be hacked than Open Source enterprise Linux based alternatives...

  4. eulampios

    no details

    Eset doesn't seem to specify which sites were compromised, nothing further. I'd first compare their ssh and user/admin credential policies, if at all possible.

    As far as the numbers are concerned, one may consider 400 to be high enough. However, as netcraft just published in their May survey counting about 463,852,555 websites running Nginx and Apache together (mostly on Linux).

  5. Anonymous Coward
    Anonymous Coward

    Surprise

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    1. Anonymous Coward
      Anonymous Coward

      Re: Surprise

      Obvious troll is obvious

      1. Anonymous Coward
        Anonymous Coward

        Re: Obvious troll is obvious

        and disappointingly innefectual. 3 downvotes! I guess all the freetards are trolling the "windows 8 is being redesigned" thread....

    2. Crisp

      Re: Surprise

      I think I'll ignore the opinions of someone who couldn't be bothered to read the article.

    3. Tom 38

      Re: Surprise

      Sometimes, even Eadon is too ashamed to put their name to a post.

  6. Velv
    Trollface

    But, but, but, but, but, but, but, but, but, but....

    ...open source applications and OS's are immune to viruses and malware and security threats and shit.

    <</troll>> stones and glasshouses.

    1. Bill the Sys Admin

      Ask Eadon and yes. Ask any sane open source user/supporter and they would say no. Do you notice Eadon never shows his face on articles like this?

      Doesn’t change the fact I would choose Apache or NginX over IIS any day though.

      1. Anonymous Coward
        Anonymous Coward

        "Doesn’t change the fact I would choose Apache or NginX over IIS any day though."

        Have you seen the exploit stats around that? http://www.zone-h.org/news/id/4737 - IIS is a much lower risk.

        1. Anonymous Coward
          Anonymous Coward

          Downvoted for having some statistics

          that site is obviously just MS FUD!

      2. oolor
        Pint

        ah Eadon

        < cause I need another

        @ Bill (and everyone else I suppose):

        It depends on the admin, since Apache (and NginX) is run by anyone from barely able to use the simplest interface to top notch pros, it makes sense that there will be some people who miss some part of the security best practices along the way, particularly with shared hosting. Those running IIS are likely paying someone decent cash to keep up to date. I think this explains more than simply _nix vs. MS.

This topic is closed for new posts.

Other stories you might like