- Category: Tim's Blog
- Published: Tuesday, 30 April 2013 10:31
- Written by Tim Walls
- Hits: 2508
There is much commotion on the Internet at the moment about a malicious backdoor infecting Apache webservers on Linux, dubbed Linux/Cdorked.A. It's unclear if this is in fact the same infection dubbed Darkleech some weeks ago, or a new threat. The attack vector by which it is installed on servers is also unclear (although there is speculation that old exploits in the Plesk control panel provided by many virtual server hosting providers are being used - a timely reminder to system administrators that you need to make sure these aspects of your system are patched as well as the applications you install on it.)
Other speculation on attack vectors includes simple brute-forcing of passwords over SSH. This is again a reminder, to use strong SSH passwords or keys, but most importantly to firewall your server's SSH ports. There is no good reason for SSH to be exposed to the general internet - your firewall should block all access to SSH ideally from the public internet entirely (with management access being via an 'out of band' route such as a private leased line,) or at the very least should restrict access only to known IP addresses from which authorised administrators will access your servers.
(As an aside, any firewall which isn't configured with a default deny configuration is no firewall at all - but that's another story.)
Anyway, enough of the lecture - the most important question is "how can I tell if my server has a problem and might be infected?" The answer is - that's not terribly clear either. The best advice I've found online is provided by ESET, in this article. At the end of the article is a Python script which you can use to try and detect the shared memory segment the Cdorked backdoor uses to share its configuration details between Apache processes. As a bare minimum, your system administrator should be using this script to check your servers. (Remember, it's not known if this is 'the same' malware as Darkleech, but it absolutely is out there in the wild.)
And in the meantime - keep an eye out for further information...
Short version: Make sure your Apache system administrator has read and digested this article!