{"id":2110,"date":"2013-05-08T12:46:51","date_gmt":"2013-05-08T16:46:51","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=2110"},"modified":"2013-05-08T12:46:51","modified_gmt":"2013-05-08T16:46:51","slug":"attack-hitting-apache-sites-goes-mainstream-hacks-nginx-lighttpd-too","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/05\/08\/attack-hitting-apache-sites-goes-mainstream-hacks-nginx-lighttpd-too\/","title":{"rendered":"Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too"},"content":{"rendered":"

\"Attack<\/a><\/p>\n

Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet’s most popular Web servers to push potent malware exploits on visitors.
\nLinux\/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because Eset sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.
\n“This is the first time I’ve seen an attack that will actually target different Web servers, meaning the attacker is willing to create the backdoor for Apache, Lightttp, and nginx,” Pierre-Marc Bureau, Eset’s security intelligence program manager, told Ars. “Somebody is running an operation that can victimize various Web servers and in my opinion this is the first time that has ever happened. This is a stealthy, sophisticated, and streamlined distribution mechanism for getting malware on end users computers.”
\nPreviously, Cdorked was known to infect only sites that ran on Apache, which remains by far the Internet’s most popular Web server application. According to this month’s server survey from Netcraft, Apache and nginx are the No. 1 and No. 3 packages respectively, with about 53 percent and 16 percent of websites. The survey didn’t rank Lighttpd, a Web server designed for speed-critical sites that’s used by sites including Meebo, YouTube, and Wikimedia, according to Wikipedia. The report of the susceptibility of nginx came as its maintainers issued an update that patches a remote-code execution vulnerability in the open-source Web server. (There’s no evidence the vulnerability is related to the Cdorked infection.)
\nLinux\/Cdorked.A is one of at least two backdoors recently observed causing trusted and often popular websites to push exploits that attempt to surreptitiously install malware on visitors’ computers. Like Darkleech, a backdoor estimated to have infected 20,000 Apache websites, it redirects users to a series of third-party sites that host malicious code from the Blackhole exploit kit. A recent blog post from security firm Invincea reports another rash of website hijackings, but they appear to be unrelated to Cdorked, and there’s no indication Darkleech is involved, either.
\nAlso similar to Darkleech, the Cdorked backdoor makes it extremely difficult for end users and even security researchers to notice their computers are being attacked. Users who speak Russian, Ukrainian, and at least four other languages are never exposed, and people who have already been attacked in recent days are also spared. Common configurations include a large list of IP addresses that are also blocked from exploits.
\n“We believe the operators behind this malware campaign are making significant efforts to keep their operation under the radar and to hinder monitoring efforts as much as possible,” Eset researcher Marc-Etienne M.L\u00e9veill\u00e9 wrote in a blog post published Tuesday. “For them, not being detected seems to be a priority over infecting as many victims as possible.”
\nCdorked-infected servers are also advanced enough to distinguish among different computing platforms used by end users visiting infected sites. Those using Windows machines are directed to sites that mostly host exploits from Blackhole. People using Apple iPads or iPhones are redirected to porn sites that may also be hosting malicious code. Cdorked also stores most of its inner workings in a server’s shared memory, making it hard for some admins to know their sites are infected. Compromised systems can receive up to 70 different encrypted commands, a number that gives attackers fairly granular control that can be remotely and stealthily invoked.
\nIn another testament to the ambition of its operators, Cdorked relies on compromised domain name system servers to resolve the IP addresses of redirected sites. The use of “trojanized DNS server binaries” adds another layer of obscurity to the attacks, since they make it easier for attackers to serve different sites to different end users.
\nFull Story: Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet’s most popular Web […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[6,7,10],"tags":[76,457],"class_list":["post-2110","post","type-post","status-publish","format-standard","hentry","category-networking","category-security","category-technology","tag-apache","tag-hacks"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-y2","jetpack-related-posts":[{"id":9393,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/08\/19\/this-week-in-tech-680-hacky-hack-hack\/","url_meta":{"origin":2110,"position":0},"title":"This Week in Tech 680: Hacky Hack Hack","author":"NCCT","date":"August 19, 2018","format":false,"excerpt":"https:\/\/youtu.be\/7ClMz3MkTJk This Week in Tech Elon's Twitter addiction, $1200 iPhone XS+, Movie Pass Fail, Pai's lie, and more. --Leave Elon alone! Tesla tumbles after Musk laments his \"most difficult and painful year.\" --Google employees revolt over China rumors; town hall meeting shut down due to \"kerfuffle\" tweets. --Apple thinks that\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/7ClMz3MkTJk\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9391,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/08\/12\/this-week-in-tech-679-hotbox-the-waymo\/","url_meta":{"origin":2110,"position":1},"title":"This Week in Tech 679: Hotbox the Waymo","author":"NCCT","date":"August 12, 2018","format":false,"excerpt":"https:\/\/youtu.be\/r0sh0kx0ksQ This Week in Tech Galaxy Note 9, vote hacking, Android Q quandary, robot dogs, and more. --Samsung Announces the Galaxy Note 9, Galaxy Watch, and Galaxy Home musical cauldron. --What is AI? --Self-driving roll-out is increasing. --Amazon wants you to pick up groceries at Whole Foods, and wishes you\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/r0sh0kx0ksQ\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9378,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/07\/13\/smart-home-security-tips\/","url_meta":{"origin":2110,"position":2},"title":"Smart Home Security Tips","author":"NCCT","date":"July 13, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ESqqAf3IGok Megan Morrone and Florence Ion talk to Stacey Higginbotham about tips for securing your smart home. The advantages and disadvantages of running devices on a guest network. Plus, how do you know if your devices are getting regular firmware updates.","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ESqqAf3IGok\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9804,"url":"https:\/\/nccomputertech.com\/techtalk\/2024\/11\/08\/maximum-iceland-scenario-data-caps-3rd-party-android-stores-nuclear-amazon\/","url_meta":{"origin":2110,"position":3},"title":"Maximum Iceland Scenario – Data Caps, 3rd Party Android Stores, Nuclear Amazon","author":"NCCT","date":"November 8, 2024","format":false,"excerpt":"https:\/\/youtu.be\/P5MkCwktKz0 Data Caps, 3rd Party Android Stores, Nuclear Amazon \u2022 Google must crack open Android for third-party stores, rules Epic judge \u2022 Google asks 9th Circuit for emergency stay, says Epic ruling \u2018is dangerous\u2019 \u2022 Canceling subscriptions is about to get easier \u2022 The FCC is looking into the impact\u2026","rel":"","context":"In "Software"","block_context":{"text":"Software","link":"https:\/\/nccomputertech.com\/techtalk\/category\/software\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/P5MkCwktKz0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9450,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/20\/are-passwords-immortal-security-now-690\/","url_meta":{"origin":2110,"position":4},"title":"Are Passwords Immortal? – Security Now 690","author":"NCCT","date":"November 20, 2018","format":false,"excerpt":"https:\/\/youtu.be\/mOSTtkK7vy0 Pwn2Own, the Future of Passwords. -- All the action at last week's Pwn2Own Mobile hacking contest -- The final word on processor mis-design in the Meltdown\/Spectre era -- A workable solution for unsupported Intel firmware upgrades for hostile environments -- A forthcoming Firefox breach alert feature -- The expected\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/mOSTtkK7vy0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9343,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/05\/27\/this-week-in-tech-668-how-many-cups-in-a-stone\/","url_meta":{"origin":2110,"position":5},"title":"This Week in Tech 668: How Many Cups in a Stone?","author":"NCCT","date":"May 27, 2018","format":false,"excerpt":"https:\/\/youtu.be\/i1oqaFyVcQ0 --The FBI wants you to reboot your router right now. FBI agents have gained control of a huge Russian botnet. If your router is affected you just need to reboot it. --Facebook and Russian ads - how should government react in the age of cyber warfare? --Amazon sells facial\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/i1oqaFyVcQ0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=2110"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2110\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=2110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=2110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=2110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}