Apache Binary Backdoors on Cpanel-based servers - Linux/Cdorked.A

It's not a security hole.

Make sure you are using keys or very strong password for ssh, and that cphulk is blocking all brute force attempts.

 

Just to save everyone some time. I submitted a cpanel support ticket about this because if you have frontpage module loaded you may end up getting a false positive on this.

For example, you may see : grep: /usr/local/apache/logs/fpcgisock: No such device or address
The sucuri article suggests/implies any response is bad.

From the cpanel support system they suggest:
Another way of checking for this would be the following:

strings /usr/local/apache/bin/httpd | grep open_tty

This method actually checks the binary itself, as opposed to relying on log files that are much more easily manipulated, than a binary file.

 

So better to disable frontpage from list of apache module ?

 

Of course, disable all modules you don't need or are not using.

 

There is a python script which can see if you're infected. If you are, that means either your root password was compromised or your kernel was old enough for privelege escalation. In either case, if you're infected, you need to migrate your sites and content to a new server with a clean OS installation (i.e. reimage your server).

https://gist.github.com/scuderiaf1/5483659

 

For me, this python script syntaxes on line 34.

 

Looks like there are indentation errors on that. I mirrored a working copy here:

[Python] dump_cdorked_config.py - Pastebin.com

make sure you copy it out of RAW paste data.

 

Thanks, but same error. Line 34 reads like this:

Looks a little goofy to me.

 

Make sure you paste into vim and ":set paste" first. Ensure the indenting matches the "raw" paste data.

 

Any further clues about HOW Apache binary is being hacked? We need to be able to stop this from happening, but without information on the actual vector of attack, we feel quite helpless. Any help?

 

jack01,

The only way to edit/trojan the apache binary is with root access; either your root PW / key gets compromised, or you're running a kernel old enough to allow privelege escalation. There were some pretty bad kernel exploits over the last year, so ensure your server(s) is/are running the most updated kernel available and you should be fine.

 

FWIW - On a CentOS 5.9 server with cPanel/WHM installed, we learned that the httpd binary from /usr/local/apache/bin/httpd is renamed and moved to /usr/bin/cvsup (normally a FreeBSD file, it seems) whenever the httpd binary is swapped out with the trojaned version.