[dba-Tech] The Apache web server is full of holes

Hans-Christian Andersen hans.andersen at phulse.com
Mon May 6 03:44:50 CDT 2013


Both articles are simply describing interesting things that hackers are doing with Apache on servers that have **already been compromised** (pardon the emphasis, but it matters). As you well know, once a server has been compromised, a hacker can do pretty much anything they desire. They could infect the web server to spread malware, steal your database or they could get the mail server to spit out hundreds of thousands of spam emails... etc etc...

What we don't know definitively yet, however, is how those servers got compromised. This is an important distinction. As far as anyone knows, it could be anything at this point - so pinning the blame on Apache is being misinformed. No security researcher has yet done that for good reason - only hyperventilating journalists have.

- Hans


On 2013-05-05, at 3:36 PM, "Jim Lawrence" <accessd at shaw.ca> wrote:

> According to the article, it does appear that external access was gained
> through the web and we still have to look at Apache as a part of the
> problem. A web server should never allow unfettered access to the root
> operating system no matter what the situation. 
> 
> We never know what languages will be run on our web servers as they may be
> flaky in the extreme (the first versions of ASP comes to mind) but as long
> as root access is completely blocked via the web server interface, corrupted
> web sites are of minor nature.
> 
> I have never heard of any Web server being blamed for directly or indirectly
> allowing access to the hosting server's root. This to my understanding is a
> historical first.
> 
> Neither Cpanel or Plesk web management tools have been admitting any
> culpability and until their involvement can be proved, one way or the other,
> Apache seems to be the logical cause. The few hacks, that we have seen so
> far, may just be start of things unless the cause can proven other wise.
> 
> Jim   
> 
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
> Andersen
> Sent: Sunday, May 05, 2013 3:05 PM
> To: Discussion of Hardware and Software issues
> Subject: Re: [dba-Tech] The Apache web server is full of holes
> 
> 
> 
> I'd just like to point out that, as far as I'm aware, researchers still do
> not know if this is a result of a security hole in Apache. As a matter of
> fact, that this exploit seems to only affect a relatively few number of
> servers and isn't spreading across the entire internet like wildfire
> indicates that it is most likely not a security issue with Apache, but with
> some other software. It has been suggested that it might be website hosting
> / management applications, like Cpanel and Plesk, that are the true culprit.
> 
> What is interesting however, from the point of view from Apache, is simply
> that it appears the authors of this exploit / malware seem to have put a lot
> of thought into making their malware hide its traces so that the server
> admins or website owner aren't able to tell that they've been affected.
> 
> But, like I said, it's unlikely that these hacks are a result of some
> security hole in Apache.
> 
> - Hans
> 
> 
> On 2013-05-05, at 2:47 PM, "Jim Lawrence" <accessd at shaw.ca> wrote:
> 
>> All leading software packages are searched for vulnerabilities and as
> always
>> they are eventual be found. Apache's impact into the web server market is
>> huge with more than half of all web sites using this back-end.
>> 
>> Many holes have now been discovered and whether the Apache package should
> be
>> used for major sites is in debate. Maybe it is time to move to Nginx and
>> wait until the holes can all be properly plugged.
>> 
>> With packages such as the Blackhole exploit kit, available to any
>> script-kiddies,
>> 
> (http://nakedsecurity.sophos.com/2012/03/29/exploring-the-blackhole-exploit-
>> kit/) it will be a while before Apache is safe to use again.   
>> 
>> Here is an interesting article on the current  
>> 
> http://blog.sucuri.net/2013/04/apache-web-server-attacks-continue-to-evolve.
>> html
>> 
>> Jim  
>> 
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com




More information about the dba-Tech mailing list