Almost Invisible Apache Backdoor Discovered By Researchers

About Graeme Caldwell — Graeme works as an inbound marketer for InterWorx, a revolutionary web hosting control panel for hosts who need scalability and reliability. Follow InterWorx on Twitter at @interworx, Like them on Facebook and check out their blog, http://www.interworx.com/community.

An extremely hard to find backdoor that exposes web users to malware infection has been discovered in the wild by security researchers. The Linux/Cdorked. A backdoor uses a number of advanced methods to avoid detection with the techniques normally employed by system administrators, and is estimated to be present on hundreds of machines.

The most recent of a series of serious Apache exploits discovered over the last few weeks, Linux/Cdorked.A is particularly pernicious because, in addition to providing a platform from which the Blackhole toolkit can be used against target machines, it makes almost no easily detectable changes to infected systems. The usual remediation techniques employed by system administrators are likely to simply destroy evidence of infection.

The backdoor stores none of its configuration files on disk, instead using shared memory to store its instructions and configuration. The only evidence on the filesystems of infected machines is a modified HTTP daemon binary. The backdoor receives its instructions via obfuscated URLs that Apache does not log and is capable of receiving 70 different instructions, indicating a comprehensive and fine grained control capability.

In addition to control via URL, the modified server binary also contains a reverse connect backdoor that can be triggered by a URL containing hostname and port data to connect to a shell session that the attacker controls.
Linux.Cdorked.A redirects clients to machines that contain malware payloads, but makes itself even more difficult to detect by avoiding redirecting clients that meet conditions that indicate that the connecting machine may be used by a site’s administrators. For example, it won’t redirect if the URL or hostname contains strings like “support” or “adm”. An administrator visiting an infected site is likely to see no evidence of the site having been exploited. Additionally, the backdoor sets a cookie on clients it redirects and won’t redirect the same client again, making it further difficult to determine the source of infection.

If an administrator suspects that their server has been infected they can use a tool created by ESET, whose researchers made the initial discovery, to dump the shared memory used by the backdoor for analysis.
It’s not clear how servers become infected initially, but all system administrators should employ industry best practices to ensure that their sites are not easily exploited, including having the most recent version of the Apache server installed and verifying that users with SSH access to servers are using secure passwords, as there is some indication that brute force attacks on SSH servers may be responsible.