14 DAY TRIAL // Security experts have identified another malicious Apache backdoor that’s used by cybercriminals to redirect traffic to their malicious websites.
According to experts from security firm Sucuri, the attackers are replacing the Apache binary (httpd) with a malicious one on cPanel-based servers. In older attacks, the injections were done by adding modules or by modifying the Apache configuration.
ESET has also analyzed this backdoor, which they’ve dubbed Linux/Cdorked.A.
The company says that Cdorked.A is the most sophisticated Apache backdoor they’ve ever analyzed.
“The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory,” ESET’s Pierre-Marc Bureau wrote in a blog post.
“The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.”
Experts say that hundreds of servers have already been compromised, and that the attackers can do whatever they want with them.
“When attackers get full root access to the server, they can do anything they want. From modifying configurations, to injecting modules and replacing binaries. However, their tactics are changing to make it even harder for admins to detect their presence and recover from the compromise,” Sucuri CTO Daniel Cid explained.
Fortunately, there are some ways in which administrators can identify and clean the infections.
ESET provides administrators with a free tool that verifies the presence of a particular shared memory region and dumps its contents into a file.
Debian and Ubuntu users can use “debsums” and the administrators of RPM-based systems can use the “rpm-verify” command to check the integrity of their Apache web server.