Apache binary backdoor adds malicious redirect to Blackhole

Published: 2013-04-30
Last Updated: 2013-04-30 16:57:06 UTC
by Russ McRee (Version: 1)
5 comment(s)

On 26 APR, Sucuri's Daniel Cid posted Apache Binary Backdoors on Cpanel-based servers. This coincided closely with a technical study of the Linux/Cdorked.A malware provided by ESET.

Sucuri stated that "on cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one."

ESET's analysis of this malware revealed that it is a "sophisticated and stealthy backdoor meant to drive traffic to malicious websites."

Speculation regarding how the initial entry occured to allow injection in the first place is varied, but SSH bruteforce is on the list.  

See ESET's guidance regarding shared memory, and as always, validate the intergrity of httpd packages.

Review both articles, and if you're utilizing a shared webserver provided by a colo/ISP, be sure your confidence in their ability to manage and administer that server on your behalf is high.

Russ McRee | @holisticinfosec

Keywords: apache blocklist
5 comment(s)
ISC StormCast for Tuesday, April 30th 2013 http://isc.sans.edu/podcastdetail.html?id=3275


Diary Archives