Compromised Apache binaries load malicious code
Researchers at web security firm Sucuri have discovered modified binaries in the open source Apache web server. The binaries will load malicious code or other web content without any user interaction. Only files that were installed using the cPanel administration tool are currently thought to be affected. ESET says that several hundred web servers have been compromised.
The attack has been named Linux/Cdorked.A and is difficult to detect: As cPanel doesn't install the web server through common package managers such as RPM, the verification mechanisms of the package managers won't be any help. The attackers also retain the file's timestamp to prevent it from being detected by its date in the directory listing. Sucuri says that searching for the open_tty character string provides a clear indication that a binary has been manipulated:
grep -r open_tty /usr/local/apache/ doesn't return any results with Apache binaries that are intact.
Details on the functionality of the compromised Apache binaries have been released by the ESET researchers who have described how the malware uses a shared memory segment that is about six megabytes in size and allows read and write access to all users and groups. The malware stores its configuration files in this memory segment. The server is controlled through specially crafted HTTP requests that won't show up in the server's log file and which allow the attackers to open a backdoor through which they can inject shell commands.
The HTTP connection appears to be hung during this while the shell is in use, which offers a further indication that an Apache server has been infected if an administrator looks for long-running HTTP connections. In addition to the backdoor, the attackers have also built in a mechanism that allows them to load content into other web pages behind the scenes. ESET says that, in certain conditions, this mechanism is used to redirect users to Blackhole exploits or pornographic pages. However, this is apparently only done once per day and IP address for each accessing browser.
An Apache server that has been infected with Linux/Cdorked. A can't easily be replaced because the file's immutable bit is set.
chattr -ai /usr/local/apache/bin/httpd must be used to remove it before the server can be replaced with a web server that is intact.
"Darkleech", a predecessor of the current malware, used specially crafted Apache modules to load Blackhole exploits rather than a modified binary. It is thought to have infected several thousand web servers but the exact details on how it, and Linux/Cdorked.A, infected those servers are still unclear.