Apache redirects infected users with malware

Known as cdorked, a ESET survey called the most complex http://www.aliyun.com/zixun/aggregation/14417.html ">apache one of the backdoor viruses.

"The attacker uses a complex and invisible malware block to infect the Apache Web server." According to ESET Security Intelligence project manager Pierre-marc according, known as LINUX/CDORKED.A's backdoor virus, is "one of the most complex Apache backdoor viruses we've seen." ”

"Backdoor virus through the complex forensics analysis, can leave traces of the host hard drive, rather than modify the httpd binaries." "All the information associated with backdoor programs is stored in shared memory," according wrote in the blog. The attacker was able to implement this configuration by confusing the HTTP request with an inability to log on to the Apache log normally. This means that there is no command and control information anywhere on the storage system. ”

Cdorked exploits the infamous intrusion tool blackhole exploit kit has systematically pushed a hosted web site to the user. According to ESET analysis, the malware has invaded hundreds of Web servers.

"How the server was initially attacked is not yet clear, but it may have been subjected to brute force attacks." "Cto,daniel CID, a security company Sucuri, said in a blog.

"Over the past few months, we've been tracking the server-level cracking behavior of using the Apache module to inject malware into the site." "he wrote. "However, over the past few months, we have noticed that this type of injection has changed. He added, "On the cpanel-based server, the attacker tried to replace Apache's httpd binaries with malware, rather than using previous additions or modifications to the Apache configuration." ”

He pointed out that, on the site, the stolen binaries did not appear to have changed. But for random requests--such as adding a malware redirect to each IP address every day--this will be very different from just showing the content.

After redirection, a network tracker is set on the client so that it cannot be redirected again. "If you send a request that looks like an admin page, the network tracker will be set," according explains. When URL, server name or match the following characters *adm*, *webmaster*, *submit*, *stat*, *mrtg*, *webmin*, *cpanel*, *memb*, *bucks*, *bill*, *host*, * secur* and *support*backdoor users online, backdoor programs will find it. This may be done to avoid sending malicious content to the site's administrators, making it difficult to implement an intrusion infection. ”

According recommends that organizations check existing shared memory to make sure they are not infected. ESET also released a free tool to allow system administrators to verify the existing shared memory area and the contents of the dump to another file.

This is the latest case of an attacker invading the Apache Web server. Earlier this year, researchers discovered that malicious program Darkleech was active, successfully infecting thousands of Web servers and running Apache 2.2.2 or above. "So far, there has been no connection between LINUX/CDORKED.A and Darkleech," says Stephen Cobb, a eset security preacher.

"When attackers get full access to the storage root directory, they can do whatever they want, from modifying the configuration infection module to replacing binary files." "But their changing tactics make it hard for administrators to detect their presence," The CID blog said. ”