Hi cPanel members, do you have any news about this security hole? Apache Binary Backdoors on Cpanel-based servers | Sucuri Blog
Apache Binary Backdoors on Cpanel-based servers - Linux/Cdorked.A
- Thread starter jecro77
- Start date
It's not a security hole.
Make sure you are using keys or very strong password for ssh, and that cphulk is blocking all brute force attempts.We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.
Just to save everyone some time. I submitted a cpanel support ticket about this because if you have frontpage module loaded you may end up getting a false positive on this.
For example, you may see : grep: /usr/local/apache/logs/fpcgisock: No such device or address
The sucuri article suggests/implies any response is bad.
From the cpanel support system they suggest:
Another way of checking for this would be the following:
strings /usr/local/apache/bin/httpd | grep open_tty
This method actually checks the binary itself, as opposed to relying on log files that are much more easily manipulated, than a binary file.
For example, you may see : grep: /usr/local/apache/logs/fpcgisock: No such device or address
The sucuri article suggests/implies any response is bad.
From the cpanel support system they suggest:
Another way of checking for this would be the following:
strings /usr/local/apache/bin/httpd | grep open_tty
This method actually checks the binary itself, as opposed to relying on log files that are much more easily manipulated, than a binary file.
There is a python script which can see if you're infected. If you are, that means either your root password was compromised or your kernel was old enough for privelege escalation. In either case, if you're infected, you need to migrate your sites and content to a new server with a clean OS installation (i.e. reimage your server).
https://gist.github.com/scuderiaf1/5483659
https://gist.github.com/scuderiaf1/5483659
For me, this python script syntaxes on line 34.There is a python script which can see if you're infected. If you are, that means either your root password was compromised or your kernel was old enough for privelege escalation. In either case, if you're infected, you need to migrate your sites and content to a new server with a clean OS installation (i.e. reimage your server).
https://gist.github.com/scuderiaf1/5483659
Looks like there are indentation errors on that. I mirrored a working copy here:
[Python] dump_cdorked_config.py - Pastebin.com
make sure you copy it out of RAW paste data.
[Python] dump_cdorked_config.py - Pastebin.com
make sure you copy it out of RAW paste data.
Thanks, but same error. Line 34 reads like this:
Looks a little goofy to me.shmid = shmget(SHM_KEY, SHM_SIZE, 0o666)
Make sure you paste into vim and ":set paste" first. Ensure the indenting matches the "raw" paste data.
jack01,
The only way to edit/trojan the apache binary is with root access; either your root PW / key gets compromised, or you're running a kernel old enough to allow privelege escalation. There were some pretty bad kernel exploits over the last year, so ensure your server(s) is/are running the most updated kernel available and you should be fine.
The only way to edit/trojan the apache binary is with root access; either your root PW / key gets compromised, or you're running a kernel old enough to allow privelege escalation. There were some pretty bad kernel exploits over the last year, so ensure your server(s) is/are running the most updated kernel available and you should be fine.
FWIW - On a CentOS 5.9 server with cPanel/WHM installed, we learned that the httpd binary from /usr/local/apache/bin/httpd is renamed and moved to /usr/bin/cvsup (normally a FreeBSD file, it seems) whenever the httpd binary is swapped out with the trojaned version.
