Web server backdoor also booby traps lighttpd and NGINX

The criminals behind Linux/Cdorked.A web server backdoor are targeting the lighttpd and NGINX web servers. This is in addition to the already discovered compromised Apache HTTPD servers, according to a blog post by the anti-virus specialists at ESET. Cdorked turns web servers into malware machines, sending a selection of their visitors to malicious pages used by exploit kits like Black Hole.

Based on their telemetry data, the virus experts say that they've now found the rootkit on more than 400 servers, and almost 100,000 ESET antivirus users have been redirected to malicious pages. Cdorked doesn't attack every visitor though. ESET found a blacklist on a hacked server that excluded about fifty per cent of all IPv4 addresses from being redirected. Users who have their browser's language set to Finnish, Japanese, Kazakh, Russian, Ukrainian or Belarusian are also apparently spared.

The redirection process is also different for users of Apple's iOS. They are redirected to a page with advertisements for pornography in an attempt to at least make some money off of them – a conventional exploit kit won't do any harm to an iOS device.

The configuration file for the backdoor is stored in a shared memory segment in the system memory – ESET has released a tool that can be used to read the file if the server is infected. It is, though, still unclear how Cdorked gets onto the servers in the first place; ESET's researchers believe that there is no common factor in the infection routes. Cpanel software, which was initially believed to be a common vector has been ruled out as it is only present on a minority of infected machines. They suspect that each server is compromised on an ad hoc basis.

(djwm)