[dba-Tech] The Apache web server is full of holes

Hans-Christian Andersen hans.andersen at phulse.com
Wed May 8 06:33:00 CDT 2013



News just in.... "Attack hitting Apache sites goes mainstream,  hacks nginx,  Lighttpd,  too"

http://arstechnica.com/security/2013/05/attack-hitting-apache-sites-goes-mainstream-hacks-nginx-lighttpd-too/

So, looks like Apache isn't the source of the compromise...

- Hans


On 2013-05-05, at 3:36 PM, "Jim Lawrence" <accessd at shaw.ca> wrote:

> According to the article, it does appear that external access was gained
> through the web and we still have to look at Apache as a part of the
> problem. A web server should never allow unfettered access to the root
> operating system no matter what the situation. 
> 
> We never know what languages will be run on our web servers as they may be
> flaky in the extreme (the first versions of ASP comes to mind) but as long
> as root access is completely blocked via the web server interface, corrupted
> web sites are of minor nature.
> 
> I have never heard of any Web server being blamed for directly or indirectly
> allowing access to the hosting server's root. This to my understanding is a
> historical first.
> 
> Neither Cpanel or Plesk web management tools have been admitting any
> culpability and until their involvement can be proved, one way or the other,
> Apache seems to be the logical cause. The few hacks, that we have seen so
> far, may just be start of things unless the cause can proven other wise.
> 
> Jim   
> 
> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian
> Andersen
> Sent: Sunday, May 05, 2013 3:05 PM
> To: Discussion of Hardware and Software issues
> Subject: Re: [dba-Tech] The Apache web server is full of holes
> 
> 
> 
> I'd just like to point out that, as far as I'm aware, researchers still do
> not know if this is a result of a security hole in Apache. As a matter of
> fact, that this exploit seems to only affect a relatively few number of
> servers and isn't spreading across the entire internet like wildfire
> indicates that it is most likely not a security issue with Apache, but with
> some other software. It has been suggested that it might be website hosting
> / management applications, like Cpanel and Plesk, that are the true culprit.
> 
> What is interesting however, from the point of view from Apache, is simply
> that it appears the authors of this exploit / malware seem to have put a lot
> of thought into making their malware hide its traces so that the server
> admins or website owner aren't able to tell that they've been affected.
> 
> But, like I said, it's unlikely that these hacks are a result of some
> security hole in Apache.
> 
> - Hans
> 
> 
> On 2013-05-05, at 2:47 PM, "Jim Lawrence" <accessd at shaw.ca> wrote:
> 
>> All leading software packages are searched for vulnerabilities and as
> always
>> they are eventual be found. Apache's impact into the web server market is
>> huge with more than half of all web sites using this back-end.
>> 
>> Many holes have now been discovered and whether the Apache package should
> be
>> used for major sites is in debate. Maybe it is time to move to Nginx and
>> wait until the holes can all be properly plugged.
>> 
>> With packages such as the Blackhole exploit kit, available to any
>> script-kiddies,
>> 
> (http://nakedsecurity.sophos.com/2012/03/29/exploring-the-blackhole-exploit-
>> kit/) it will be a while before Apache is safe to use again.   
>> 
>> Here is an interesting article on the current  
>> 
> http://blog.sucuri.net/2013/04/apache-web-server-attacks-continue-to-evolve.
>> html
>> 
>> Jim  
>> 
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
> 
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com



More information about the dba-Tech mailing list