Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Apache binary backdoor adds malicious redirect to Blackhole - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apache binary backdoor adds malicious redirect to Blackhole

On 26 APR, Sucuri's Daniel Cid posted Apache Binary Backdoors on Cpanel-based servers. This coincided closely with a technical study of the Linux/Cdorked.A malware provided by ESET.

Sucuri stated that "on cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one."

ESET's analysis of this malware revealed that it is a "sophisticated and stealthy backdoor meant to drive traffic to malicious websites."

Speculation regarding how the initial entry occured to allow injection in the first place is varied, but SSH bruteforce is on the list.  

See ESET's guidance regarding shared memory, and as always, validate the intergrity of httpd packages.

Review both articles, and if you're utilizing a shared webserver provided by a colo/ISP, be sure your confidence in their ability to manage and administer that server on your behalf is high.

Russ McRee | @holisticinfosec

Russ McRee

181 Posts
ISC Handler
Has anyone tested if this compromise is detected by AV?
Anonymous
Russ McRee

181 Posts
ISC Handler
Just for due diligence; there is all talk about httpd for Linux, but does anybody know if this affect Windows versions of httpd?

Maybe me just not seeing something.
amilroy

9 Posts
Seems to me that the headline is a little misleading - the official Apache binary does not have a "backdoor". Replacing a good binary with a malicious one is rather a trojan if I'm remembering my nomenclature correctly.
bkendall

7 Posts
If you're running e-commerce on shared hosting, you pretty much deserve what you get. If $7.95 a month hosting is your business plan, you have planned to fail.
bkendall
57 Posts

Sign Up for Free or Log In to start participating in the conversation!