The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache Binary Backdoors on Cpanel-based servers - Linux/Cdorked.A

Discussion in 'Security' started by jecro77, Apr 29, 2013.

  1. jecro77

    jecro77 Member

    Joined:
    Mar 14, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Switzerland
  2. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    It's not a security hole.

    Make sure you are using keys or very strong password for ssh, and that cphulk is blocking all brute force attempts.
     
  3. chinookwebs

    chinookwebs Registered

    Joined:
    May 2, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Just to save everyone some time. I submitted a cpanel support ticket about this because if you have frontpage module loaded you may end up getting a false positive on this.

    For example, you may see : grep: /usr/local/apache/logs/fpcgisock: No such device or address
    The sucuri article suggests/implies any response is bad.

    From the cpanel support system they suggest:
    Another way of checking for this would be the following:

    strings /usr/local/apache/bin/httpd | grep open_tty

    This method actually checks the binary itself, as opposed to relying on log files that are much more easily manipulated, than a binary file.
     
  4. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    So better to disable frontpage from list of apache module ?
     
  5. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Of course, disable all modules you don't need or are not using.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    There is a python script which can see if you're infected. If you are, that means either your root password was compromised or your kernel was old enough for privelege escalation. In either case, if you're infected, you need to migrate your sites and content to a new server with a clean OS installation (i.e. reimage your server).

    https://gist.github.com/scuderiaf1/5483659
     
  7. fcsnc

    fcsnc Well-Known Member

    Joined:
    Mar 19, 2002
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    North Carolina
    For me, this python script syntaxes on line 34.
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
  9. fcsnc

    fcsnc Well-Known Member

    Joined:
    Mar 19, 2002
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    North Carolina
    Thanks, but same error. Line 34 reads like this:
    Looks a little goofy to me.
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Make sure you paste into vim and ":set paste" first. Ensure the indenting matches the "raw" paste data.
     
  11. jack01

    jack01 Well-Known Member

    Joined:
    Jul 21, 2004
    Messages:
    200
    Likes Received:
    0
    Trophy Points:
    16
    Any further clues about HOW Apache binary is being hacked? We need to be able to stop this from happening, but without information on the actual vector of attack, we feel quite helpless. Any help?
     
  12. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    jack01,

    The only way to edit/trojan the apache binary is with root access; either your root PW / key gets compromised, or you're running a kernel old enough to allow privelege escalation. There were some pretty bad kernel exploits over the last year, so ensure your server(s) is/are running the most updated kernel available and you should be fine.
     
  13. jack01

    jack01 Well-Known Member

    Joined:
    Jul 21, 2004
    Messages:
    200
    Likes Received:
    0
    Trophy Points:
    16
    FWIW - On a CentOS 5.9 server with cPanel/WHM installed, we learned that the httpd binary from /usr/local/apache/bin/httpd is renamed and moved to /usr/bin/cvsup (normally a FreeBSD file, it seems) whenever the httpd binary is swapped out with the trojaned version.
     
Loading...

Share This Page