Apache Binary Backdoors on Cpanel-based servers - Linux/Cdorked.A

simonas

Well-Known Member
Apr 21, 2013
141
0
16
Lithuania
cPanel Access Level
Root Administrator
It's not a security hole.

We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.
Make sure you are using keys or very strong password for ssh, and that cphulk is blocking all brute force attempts.
 

chinookwebs

Registered
May 2, 2013
1
0
1
cPanel Access Level
DataCenter Provider
Just to save everyone some time. I submitted a cpanel support ticket about this because if you have frontpage module loaded you may end up getting a false positive on this.

For example, you may see : grep: /usr/local/apache/logs/fpcgisock: No such device or address
The sucuri article suggests/implies any response is bad.

From the cpanel support system they suggest:
Another way of checking for this would be the following:

strings /usr/local/apache/bin/httpd | grep open_tty

This method actually checks the binary itself, as opposed to relying on log files that are much more easily manipulated, than a binary file.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
There is a python script which can see if you're infected. If you are, that means either your root password was compromised or your kernel was old enough for privelege escalation. In either case, if you're infected, you need to migrate your sites and content to a new server with a clean OS installation (i.e. reimage your server).

https://gist.github.com/scuderiaf1/5483659
 

fcsnc

Well-Known Member
Mar 19, 2002
52
0
306
North Carolina
There is a python script which can see if you're infected. If you are, that means either your root password was compromised or your kernel was old enough for privelege escalation. In either case, if you're infected, you need to migrate your sites and content to a new server with a clean OS installation (i.e. reimage your server).

https://gist.github.com/scuderiaf1/5483659
For me, this python script syntaxes on line 34.
 

jack01

Well-Known Member
Jul 21, 2004
200
0
166
Any further clues about HOW Apache binary is being hacked? We need to be able to stop this from happening, but without information on the actual vector of attack, we feel quite helpless. Any help?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
jack01,

The only way to edit/trojan the apache binary is with root access; either your root PW / key gets compromised, or you're running a kernel old enough to allow privelege escalation. There were some pretty bad kernel exploits over the last year, so ensure your server(s) is/are running the most updated kernel available and you should be fine.
 

jack01

Well-Known Member
Jul 21, 2004
200
0
166
FWIW - On a CentOS 5.9 server with cPanel/WHM installed, we learned that the httpd binary from /usr/local/apache/bin/httpd is renamed and moved to /usr/bin/cvsup (normally a FreeBSD file, it seems) whenever the httpd binary is swapped out with the trojaned version.