| ||Thread Tools|
|10th May 2013, 07:44||#1|
Join Date: May 2010
Fallout of Apache backdoor spreads
It is starting to look like the existence of Linux/Cdorked.A could be a serious problem for the owners of web servers.
Linux/Cdorked.A is an advanced and stealthy Apache backdoor which can drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs.
Now security experts at Eset have found that the backdoor also infects sites running the nginx and Lighttpd web servers.
While Apache is the bigger of the names, nginx has 15 percent of the webserver market and Eset has found 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites.
Those who use Internet Explorer or Firefox on Microsoft Windows XP, Vista or 7 are the only ones who get redirected to sites hosting Blackhole, but Apple iOS users are also in danger as they get redirected to adult content sites that might be hosting malware.
A spokesperson from Eset said that it looks like the Linux/Cdorked.A threat is more stealthy than first thought. For example it will not deliver malicious content if the victim's IP address is in a very long list of blacklisted IP ranges. If the victim's internet browser's language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian, then the malware will not run.
The aim of this is to keep the work of the malware beneath the radar of the authorities and hinder monitoring efforts.
Cdorked uses compromised DNS servers to resolve the IP addresses of redirected sites which also makes the source of the malware hard to find.
At the moment the Blackhole exploit kit is currently delivering a variant of the Glupteba Trojan to the unsuspecting victims. This pushes clickjacking contextual advertising onto users.
But there is a lot about the backdoor that the researchers have not worked out yet. It is not clear how the malicious software was installed on the web servers. The malware does not propagate by itself and it does not exploit vulnerabilities in specific software.
To help system administrators spot the existence of the backdoor on their web servers, Eset has released a script that detects a specific modified httpd binary on the hard drive that's a definitive sign of infection.
|Thread||Thread Starter||Forum||Replies||Last Post|
|Ubsoft DRM ships with backdoor||Stefan Mileschin||WebNews||0||1st August 2012 09:49|
|New Mac OS X backdoor discovered||Stefan Mileschin||WebNews||0||5th July 2012 08:08|
|Apache Object-Oriented Data Project Goes Top-Level||Shogun||WebNews||0||9th January 2011 08:02|
|ProFTPD.org Compromised, Backdoor Distributed||jmke||WebNews||0||2nd December 2010 17:54|
|Xigmatek Apache EP-CD901 Top-flow cooler||jmke||WebNews||0||12th December 2008 11:58|
|Microsoft to sponsor the Apache Software Foundation||jmke||WebNews||0||25th July 2008 20:25|
|F@H spreads out from CPU's||Zwaplat||Site & Forum Feedback - Folding@Home||4||22nd June 2008 10:55|
|Opening the TiVo Backdoor||jmke||WebNews||0||1st June 2005 17:25|
|Apache cache||Bosw8er||Hardware/Software Problems, Bugs||5||8th April 2004 13:21|
|putty-apache-... Problems||FreeStyler||Hardware/Software Problems, Bugs||9||14th February 2004 22:14|