The Most Sophisticated Apache Backdoor
Manufacturer antivirus software Eset detected malicious campaign on the internet that uses a backdoor for the popular Apache web servers, aiming to redirect users to a malicious site with a set of exploits for the platform BlackBerry. In Eset say they have found a malicious campaign on Friday and over the past few days it has already covered were “many hundreds” of sites.
Righard Zwienenberg, Senior Safety Specialist of Eset, says that this backdoor called Linux / Cdorked.A is one of the most advanced attacks against the server Apache, since it is designed for server use. On the web servers rarely set antivirus, but the web servers can handle hundreds of thousands of customers a day, so the damage from such an attack can be very significant.
In Eset say that for the penetration into the target server system for malicious code uses an ingenious system of shadow HTTP-requests, some of which provide access to the server software, but don’t leave inquiries in the apache-logs on the web server, which greatly complicates the identification of breaking administrators . After entry to the server through a series of HTTP-POST-requests backdoor begins executing its main task.
“In the case of Linux / Cdorked.A problem is that this code does not leave any traces on the compromised machine or modify executable files httpd, which makes it difficult to identify the fact of breaking” – say in Eset.
According to anti-virus company, to identify the fact of being compromised server can be either by manual investigation files, or by visiting all the sites supported by the server and find unauthorized redirects, or by installing anti-virus on the server, or by a complicated memory debugging a running server. Many of the solutions on the servers today, serving tens or even hundreds of websites are simply not possible.
It is reported that contaminated sites are several malicious users to resources relating to exploit Blackhole. In Eset say that now several hundred servers infected code, while the number of hacked sites, most likely in the thousands.
“The attack is particularly dangerous in light of the fact that Apache – this is the most popular web server in the world. Additionally, many anti-virus servers are not maintained, so just talk about the extent of contamination is impossible,” – said in Eset.
In most anti-virus companies say that for the first time came across a specified malicious code when they found evidence of two well-known hacking sites unnamed companies.
Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole … Read more