Stealthy, malware-spewing server attack not limited to Apache A mysterious backdoor that has been used to drive traffic to malicious websites may be more widespread than previously thought, security researchers say, and it affects more web servers than just Apache. The malware – which has been dubbed "Linux/Cdorked.A" or "Darkleech," depending whom you ask – was first spotted in the wild …
They sure do. I have seen it far too often, you get some idjit that believes that Linux server are invulnerable and also thinks that 'chown', 'chmod' and even 'sudo' are deep wizardry and never uses them instead opting to run everything as root.
The most common reason I see is that they installed some extension or library that requires more permissions than what the service account has so rather than sitting down a figuring out how to allow the additional permissions, they just run under root because it works.
The bit that gets me is the "hard to detect" claim. If the httpd binary changes, I get alerts. Its not the only thing checked, but on a production server the only way it should legitimately change is if I run an update and/or recompile.
Until cdorked hit the news, I'd assumed it was standard practice to keep checksums of things you don't expect to change. Either people haven't bothered or they're ignoring alerts!
"Given that Apache, Lighttpd, and Nginx are all open source software, it's not surprising that the attackers behind Cdorked were able to insert their backdoor code into all three."
I don't understand, are you suggesting that the Apache source repositories were compromised?
"What is curious, however, is how they managed to smuggle their Trojanized versions onto active servers"
They didn't, they hacked Cpanel-based servers ..
"not to mention what they hope to achieve by it".
Redirecting users to porn and gambling sites to generate hits ..
"As for how they got it in, I would assume they downloaded source for all three, compiled and are copying/replacing the binaries to infect the victims."
That doesn't how they got in either. The speculation among security researchers is something quite simple: ssh brute force attacks against the root account.
"The speculation among security researchers is something quite simple: ssh brute force attacks against the root account"
"DarkLeech .. infected the servers with an SSHD backdoor"
The way this story has been reported and commented on is completely doing my nut. If you go back to the original sucuri.net post then you will see that what they are reporting is new behaviour by Bad Peepulz ONCE THEY HAVE TAKEN CONTROL OF A SERVER. They are NOT reporting a new vulnerability in the server stack.
And it is, essentially, nothing to do with cPanel, or Apache.
Nor does there seem to be ANY evidence for SSH brute force as being the way in.
If you want root on a server (and you're not fussed which) it is a piece of piss. Scan the web looking for out-dated tim thumb implementations, or phpmyadmin installations with no root password, or whatever. Upload your shell. Now, out of all the servers you have collected, you are bound to find a few where the kernel is year or two out of date and there's a privilege escalation exploit available.
> They didn't, they hacked Cpanel-based servers ..
You should probably the read the article before linking to it. It doesn't say that only cPanel servers are being hacked, or they were hacked due to vulnerability in cPanel. It states that the "httpd" binary is being replaced on cPanel based servers, as opposed to installing a separate Apache module.
Here is the article: http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html
"Given that Apache, Lighttpd, and Nginx are all open source software, it's not surprising that the attackers behind Cdorked were able to insert their backdoor code into all three."
Since when have FLOSS servers been the ones who have been most at risk? I STRONGLY advise a retraction of this obviously wrong and inflammatory statement. FLOSS has been shown again and again and again to be both more secure and the project teams have been MORE responsive to security vulnerabilities than all of their closed source competitors.
Don't believe me? A quick visit to
http://scan.coverity.com
will quickly demonstrate just how wrong this position is.
No, it's you who are joking, right?
If you have access to the source code to some software, it's trivial to insert a backdoor and compile a binary from your modified source. You couldn't do that with software for which you only have binaries. There's nothing inflammatory about these facts.
The question is, how did these modified binaries replace the legitimate binaries on the infected servers? Presumably that requires root access. How it happened is what we don't know yet. They thought it was a cPanel vulnerability at first, but that no longer seems to be the case.
Having the source code makes it easy to add extra source (Duh!), but, guess what? It's well-known how to modify arbitrary binaries, and even easier to get a fake DLL loaded. Virus writers have been doing that for years with PEs, and kits are available.
While you're scrapping about which is more secure, the bad guys have got their act together and are using both: targeting the most popular web servers (FLOSS) to deliver malware to the most popular desktops (Windows).
"Since when have FLOSS servers been the ones who have been most at risk"
Every year without fail since about 1984 when Bill Gates made Microsoft's #1 priority to be security. Possibly you are right about other closed source systems, but Windows has consistently had fewer and less serious vulnerabilities that were fixed faster with fewer days at risk than equivalent enterprise Linux based Open Source stacks....
http://www.zdnet.com/linux-trailed-windows-in-patching-zero-days-in-2012-report-says-7000011326/
http://blogs.technet.com/b/security/archive/2008/10/28/download-h1-2008-desktop-vuln-report.aspx
http://blogs.technet.com/b/security/archive/2006/07/13/441386.aspx
This is why server defacement statistics show that Windows Server is much less likely to be hacked than Open Source enterprise Linux based alternatives...
Eset doesn't seem to specify which sites were compromised, nothing further. I'd first compare their ssh and user/admin credential policies, if at all possible.
As far as the numbers are concerned, one may consider 400 to be high enough. However, as netcraft just published in their May survey counting about 463,852,555 websites running Nginx and Apache together (mostly on Linux).
< cause I need another
@ Bill (and everyone else I suppose):
It depends on the admin, since Apache (and NginX) is run by anyone from barely able to use the simplest interface to top notch pros, it makes sense that there will be some people who miss some part of the security best practices along the way, particularly with shared hosting. Those running IIS are likely paying someone decent cash to keep up to date. I think this explains more than simply _nix vs. MS.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
