It appears you have not yet registered with our community. To register please click here...

Go Back [M] > Madshrimps > WebNews
Fallout of Apache backdoor spreads Fallout of Apache backdoor spreads
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Fallout of Apache backdoor spreads
Thread Tools
Old 10th May 2013, 06:44   #1
[M] Reviewer
Stefan Mileschin's Avatar
Join Date: May 2010
Location: Romania
Posts: 119,089
Stefan Mileschin Freshly Registered
Default Fallout of Apache backdoor spreads

It is starting to look like the existence of Linux/Cdorked.A could be a serious problem for the owners of web servers.

Linux/Cdorked.A is an advanced and stealthy Apache backdoor which can drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs.

Now security experts at Eset have found that the backdoor also infects sites running the nginx and Lighttpd web servers.

While Apache is the bigger of the names, nginx has 15 percent of the webserver market and Eset has found 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites.

Those who use Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7 are the only ones who get redirected to sites hosting Blackhole, but Apple iOS users are also in danger as they get redirected to adult content sites that might be hosting malware.

A spokesperson from Eset said that it looks like the Linux/Cdorked.A threat is more stealthy than first thought. For example it will not deliver malicious content if the victim's IP address is in a very long list of blacklisted IP ranges. If the victim's internet browser's language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian, then the malware will not run.

The aim of this is to keep the work of the malware beneath the radar of the authorities and hinder monitoring efforts.

Cdorked uses compromised DNS servers to resolve the IP addresses of redirected sites which also makes the source of the malware hard to find.

At the moment the Blackhole exploit kit is currently delivering a variant of the Glupteba Trojan to the unsuspecting victims. This pushes clickjacking contextual advertising onto users.

But there is a lot about the backdoor that the researchers have not worked out yet. It is not clear how the malicious software was installed on the web servers. The malware does not propagate by itself and it does not exploit vulnerabilities in specific software.

To help system administrators spot the existence of the backdoor on their web servers, Eset has released a script that detects a specific modified httpd binary on the hard drive that's a definitive sign of infection.
Stefan Mileschin is offline   Reply With Quote

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubsoft DRM ships with backdoor Stefan Mileschin WebNews 0 1st August 2012 08:49
New Mac OS X backdoor discovered Stefan Mileschin WebNews 0 5th July 2012 07:08
Apache Object-Oriented Data Project Goes Top-Level Shogun WebNews 0 9th January 2011 07:02 Compromised, Backdoor Distributed jmke WebNews 0 2nd December 2010 16:54
Xigmatek Apache EP-CD901 Top-flow cooler jmke WebNews 0 12th December 2008 10:58
Microsoft to sponsor the Apache Software Foundation jmke WebNews 0 25th July 2008 19:25
F@H spreads out from CPU's Zwaplat Site & Forum Feedback - Folding@Home 4 22nd June 2008 09:55
Opening the TiVo Backdoor jmke WebNews 0 1st June 2005 16:25
Apache cache Bosw8er Hardware/Software Problems, Bugs 5 8th April 2004 12:21
putty-apache-... Problems FreeStyler Hardware/Software Problems, Bugs 9 14th February 2004 21:14

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

All times are GMT +1. The time now is 07:38.

Powered by vBulletin® - Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO