Jim Lawrence
accessd at shaw.ca
Wed May 8 12:16:46 CDT 2013
Hi Hans: Obviously Apache is not be the source of compromise just the result but once compromised it can be used like a zombie to do anything. Apache is absolutely everywhere, built into thousands of systems and most of or virtually all, the largest server sites in the world. This is really the first of its kind as Linux servers have never had any major attack such as this. " This is the first time I've seen an attack that will actually target different Web servers, meaning the attacker is willing to create the backdoor for Apache, Lightttp, and nginx," Pierre-Marc Bureau, Eset's security intelligence program manager, told Ars. "Somebody is running an operation that can victimize various Web servers and in my opinion this is the first time that has ever happened. This is a stealthy, sophisticated, and streamlined distribution mechanism for getting malware on end users computers. " Have you run the rpm -verify command to see if the HTTP daemon the rootkit uses has not been altered, on all your supported sites or/and downloaded and run the Python script: http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config .7z The script just checks the size of Apache header file and determines if the size is wrong...pretty basic. Of course the question now is can the servers infected be fixed and can this type of attack be blocked? Here is a link to a little more about one of the two backdoor kits: http://blog.eset.ie/2013/04/ Jim -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian Andersen Sent: Wednesday, May 08, 2013 4:33 AM To: Discussion of Hardware and Software issues Subject: Re: [dba-Tech] The Apache web server is full of holes News just in.... "Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too" http://arstechnica.com/security/2013/05/attack-hitting-apache-sites-goes-mai nstream-hacks-nginx-lighttpd-too/ So, looks like Apache isn't the source of the compromise... - Hans On 2013-05-05, at 3:36 PM, "Jim Lawrence" <accessd at shaw.ca> wrote: > According to the article, it does appear that external access was gained > through the web and we still have to look at Apache as a part of the > problem. A web server should never allow unfettered access to the root > operating system no matter what the situation. > > We never know what languages will be run on our web servers as they may be > flaky in the extreme (the first versions of ASP comes to mind) but as long > as root access is completely blocked via the web server interface, corrupted > web sites are of minor nature. > > I have never heard of any Web server being blamed for directly or indirectly > allowing access to the hosting server's root. This to my understanding is a > historical first. > > Neither Cpanel or Plesk web management tools have been admitting any > culpability and until their involvement can be proved, one way or the other, > Apache seems to be the logical cause. The few hacks, that we have seen so > far, may just be start of things unless the cause can proven other wise. > > Jim > > -----Original Message----- > From: dba-tech-bounces at databaseadvisors.com > [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Hans-Christian > Andersen > Sent: Sunday, May 05, 2013 3:05 PM > To: Discussion of Hardware and Software issues > Subject: Re: [dba-Tech] The Apache web server is full of holes > > > > I'd just like to point out that, as far as I'm aware, researchers still do > not know if this is a result of a security hole in Apache. As a matter of > fact, that this exploit seems to only affect a relatively few number of > servers and isn't spreading across the entire internet like wildfire > indicates that it is most likely not a security issue with Apache, but with > some other software. It has been suggested that it might be website hosting > / management applications, like Cpanel and Plesk, that are the true culprit. > > What is interesting however, from the point of view from Apache, is simply > that it appears the authors of this exploit / malware seem to have put a lot > of thought into making their malware hide its traces so that the server > admins or website owner aren't able to tell that they've been affected. > > But, like I said, it's unlikely that these hacks are a result of some > security hole in Apache. > > - Hans > > > On 2013-05-05, at 2:47 PM, "Jim Lawrence" <accessd at shaw.ca> wrote: > >> All leading software packages are searched for vulnerabilities and as > always >> they are eventual be found. Apache's impact into the web server market is >> huge with more than half of all web sites using this back-end. >> >> Many holes have now been discovered and whether the Apache package should > be >> used for major sites is in debate. Maybe it is time to move to Nginx and >> wait until the holes can all be properly plugged. >> >> With packages such as the Blackhole exploit kit, available to any >> script-kiddies, >> > (http://nakedsecurity.sophos.com/2012/03/29/exploring-the-blackhole-exploit- >> kit/) it will be a while before Apache is safe to use again. >> >> Here is an interesting article on the current >> > http://blog.sucuri.net/2013/04/apache-web-server-attacks-continue-to-evolve. >> html >> >> Jim >> >> _______________________________________________ >> dba-Tech mailing list >> dba-Tech at databaseadvisors.com >> http://databaseadvisors.com/mailman/listinfo/dba-tech >> Website: http://www.databaseadvisors.com > > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com