Detected malware for Linux-based servers

Posted: December 25, 2012 in IT Security News, Security Notices
Tags: , , , , ,

Linux-based servers Vulnerability

Linux-based servers Vulnerability

ESET antivirus company reported the detection of new malware Linux / Chapro.A, used by hackers to launch attacks on visitors to a site hosted on compromised Linux-servers.

Feature of the Linux / Chapro.A is that malicious code is designed as a module for http-server Apache, substitution occurs exploit browsers iframe or JavaScript-blocks in traffic is serviced sites.

It is noteworthy that in the module includes several techniques to hide its presence. In particular, the module uses a cookie and log IP-addresses of visitors to the organization of the introduction of malicious iframe client only once (when you reopen the page that it is not malware), except that the module does not perform substitution for the IP-addresses that were registered SSH login to the server, which prevents administrators to find out how the machine was infected and from which it was obtained by site with malicious code. The module also includes a sewn-base ID search page and leaves intact, in case of treatment crawlers. Such a feature makes it difficult to identify the mass affected by malicious server module and auto-tagging of the danger in the output of search engines.

Being introduced in iframe-page unit is aimed at the user of Windows and contains a link to download the standard set for exploiting vulnerabilities in Internet Explorer, Adobe Reader and Java-plugin. In case of successful operation on the client machine is installed Trojan software ZeuS (Win32/Zbot) to intercept passwords and bank accounts.

Malicious apache-module was found on a compromised server in binary form, collected for 64-bit systems. How the server was hacked not reported, as the most likely scenario is considered leak SSH-keys or passwords from the machine administrator (for some of the hacked servers simultaneously revealed facts hacking machines their administrators).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s