Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apache binary backdoor adds malicious redirect to Blackhole

Published: 2013-04-30
Last Updated: 2013-04-30 16:57:06 UTC
by Russ McRee (Version: 1)
5 comment(s)

On 26 APR, Sucuri's Daniel Cid posted Apache Binary Backdoors on Cpanel-based servers. This coincided closely with a technical study of the Linux/Cdorked.A malware provided by ESET.

Sucuri stated that "on cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one."

ESET's analysis of this malware revealed that it is a "sophisticated and stealthy backdoor meant to drive traffic to malicious websites."

Speculation regarding how the initial entry occured to allow injection in the first place is varied, but SSH bruteforce is on the list.  

See ESET's guidance regarding shared memory, and as always, validate the intergrity of httpd packages.

Review both articles, and if you're utilizing a shared webserver provided by a colo/ISP, be sure your confidence in their ability to manage and administer that server on your behalf is high.

Russ McRee | @holisticinfosec

Keywords: apache Blackhole
5 comment(s)
Diary Archives