Nasty New Apache Attack

By

Stealthy intrusion technique relies on shared memory, leaving no traces on disk.

A sophisticated Apache attack has appeared in the wild, according to reports, and has already infected hundreds of machines. The attack, known as Linux/Cdorked.A, redirects users to malicious sites, including sites that expose the user to the infamous Black Hole exploit pack. The attack does not leave any traces on the disk but, instead, saves its state and configuration in share memory, making it very difficult to identify. The target for the attack appears to be Apache servers with the cPanel hosting control tool installed.
Analysis by security experts at Sucuri and ESET reveal that the attack disguises suspicious strings in the backdoor with an XOR operation. The backdoor is opened through a special HTTP GET request that has been modified so that it normally does not appear in the Apache logs.
As of now, the recommended method for uncovering evidence of the attack is a search of shared memory. ESET's We Live Security blog describes the attack and provides a tool called dump_cdorked_config that checks the shared memory segment in which the backdoor stores its data.

05/14/2013

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=