A new sophisticated and stealthy Apache backdoor meant to drive traffic to malicious websites serving Blackhole exploit kit widely has been detected by Sucuri recently. Researchers claimed that this backdoor affecting hundreds of web servers right now.
Dubbed Linux/Cdorked.A, one of the most sophisticated Apache backdoors we have seen so far. The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory.
The configuration is pushed by the attacker through obfuscated HTTP requests that aren't logged in normal Apache logs. The HTTP server is equipped with a reverse connect backdoor that can be triggered via a special HTTP GET request. This means that no command and control information is stored anywhere on the system.
ESET researchers analyzed the binary and discovered a nasty hidden backdoor. In the Linux/Cdorked binary all the important or suspicious strings are encrypted and analysed version contains a total of 70 strings that are encoded this way.
The backdoor will check if the URL, the server name, or the referrer matches any of the following strings : '*adm*', '*webmaster*', '*submit*', '*stat*', '*mrtg*', '*webmin*', '*cpanel*', '*memb*', '*bucks*', '*bill*', '*host*', '*secur*', '*support*'. This is probably done to avoid sending malicious content to administrators of the website, making the infection harder to spot.
Researchers also found 23 commands in Linux/Cdorked.A that can be sent to the server via a POST to a specially crafted URL ie. command list : 'DU', 'ST', 'T1′, 'L1′, 'D1′, 'L2′, 'D2′, 'L3′, 'D3′, 'L4′, 'D4′, 'L5′, 'D5′, 'L6′, 'D6′, 'L7′, 'D7′, 'L8′, 'D8′, 'L9′, 'D9′, 'LA', 'DA'.
When attackers get full root access to the server, they can do anything they want. From modifying configurations, to injecting modules and replacing binaries.
When attackers get full root access to the server, they can do anything they want. From modifying configurations, to injecting modules and replacing binaries.