Apache binary backdoor adds malicious redirect to Blackhole

Published: 2013-04-30. Last Updated: 2013-04-30 16:57:06 UTC
by Russ McRee (Version: 1)
5 comment(s)

On 26 APR, Sucuri's Daniel Cid posted Apache Binary Backdoors on Cpanel-based servers. This coincided closely with a technical study of the Linux/Cdorked.A malware provided by ESET.

Sucuri stated that "on cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one."

ESET's analysis of this malware revealed that it is a "sophisticated and stealthy backdoor meant to drive traffic to malicious websites."

Speculation regarding how the initial entry occured to allow injection in the first place is varied, but SSH bruteforce is on the list.  

See ESET's guidance regarding shared memory, and as always, validate the intergrity of httpd packages.

Review both articles, and if you're utilizing a shared webserver provided by a colo/ISP, be sure your confidence in their ability to manage and administer that server on your behalf is high.

Russ McRee | @holisticinfosec

Keywords: apache blocklist
5 comment(s)

Comments

Has anyone tested if this compromise is detected by AV?
https://www.virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/
Just for due diligence; there is all talk about httpd for Linux, but does anybody know if this affect Windows versions of httpd?

Maybe me just not seeing something.
Seems to me that the headline is a little misleading - the official Apache binary does not have a "backdoor". Replacing a good binary with a malicious one is rather a trojan if I'm remembering my nomenclature correctly.
If you're running e-commerce on shared hosting, you pretty much deserve what you get. If $7.95 a month hosting is your business plan, you have planned to fail.

Diary Archives