7 May 2015

Yesterday evening I found the link ‘Hackers open malware backdoor in Apache webservers‘ in my email. In this E-Guide Warwick Ashford talks about a new threat named Linux/Cdorked.A that targets Apache web servers. Although back door Linux/Cdorked.A is known for years the attack vector is still not known. In addition Linux/Cdorked.A appears to be hard to detect because

‘All information related to the backdoor is stored in shared memory on the server, making detection difficult and hampering analysis.’

I fully agree, this behaviour makes it really hard to detect the back door. Nevertheless, sometimes it is required to restart a server or at least the httpd daemon. If the backdoor would only live in memory it would not survive the next restart. To become persistent it is necessary that the httpd executable is modified. And this is the weak point of the back door.

If set up on a clean Linux installation and well configured and maintained, integrity checkers like AIDE or OSSEC are able to detect changes to whatever executables. However, most important is, that the log files written by the integrity checkers are regularly checked for integrity breaches, and alarms are directly processed. And this is the weak point of system administration.

Don’t panic… and focus on right and important things.