Apache binary backdoors on Cpanel-based servers

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Apache binary backdoors on Cpanel-based servers
Botnet
Malware Cdorked.A
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2013 / 2013-04-26
Editor/Conference Sucuri
Link http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html (Archive copy)
Author Daniel Cid
Type Blogpost

Abstract

For the last few months we have been tracking server level compromises that have been utilizing malicious Apache modules (Darkleech) to inject malware into websites. Some of our previous coverage is available here and here.

However, during the last few months we started to see a change on how the injections were being done. On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one. This new backdoor is very sophisticated and we worked with our friends from ESET to provide this report on what we are seeing.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1324,
   editor = {Sucuri},
   author = {Daniel Cid},
   title = {Apache binary backdoors on Cpanel-based servers},
   date = {26},
   month = Apr,
   year = {2013},
   howpublished = {\url{http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html}},
 }