Malicious servers opening backdoors, performing redirects.
Researchers at
ESET
and
Sucuri
have discovered a modified
Apache
binary that is used on hundreds of web servers to perform malicious redirects and open a backdoor to the server, while going to great lengths to hide its activity.
Recently, thousands of websites – most prominently that of the
LA Times
– have been
compromised
and malicious
Apache
modules installed to serve malware to visitors of the sites.
But this new attack goes a step further: rather than adding modules, it replaces the
Apache
binary itself. Through a special HTTP GET request, the attacker can open a backdoor and thus control the behaviour of the server. As this request doesn’t appear in the HTTP logs and the configuration is only stored in shared memory, barely any trace of the command and control communication is left on the server.
The compromised servers are then used to redirect users to both spam sites and the ‘Blackhole’ exploit kit. Again, the malware authors have gone to a lot of effort to prevent their activity from being detected: redirects are only performed once for each IP address, whereas no redirects are performed on pages typically visited by the site’s administrator, thus making it less likely for them to discover that something is amiss.
For now, the question of how the machines are compromised in the first place remains unanswered. Malware and keyloggers stealing FTP and login credentials are a known problem, but these usually wouldn’t provide the attackers with the root access needed to replace the
Apache
binary. It could of course be that these sites use the same password for root, or have passwordless sudo set up, but it may also be the case that another vulnerability is being used to escalate the attacker’s privileges.
While one may start to wonder whether it is time to run security software on web servers, administrators of servers running
Apache
are urged to check if their server is infected;
ESET
has provided a simple Python script for this purpose.
More at
ESET
‘s
We Live Security
blog
here
and at
Sucuri
‘s blog
here
.
Posted on 30 April 2013 by
Martijn Grooten
Leave a Reply