Author Topic: Apache “Darkleech” Compromises  (Read 1109 times)

0 Members and 1 Guest are viewing this topic.

Offline Tìtstewan

  • LearnNavi Zeykoyu
  • Toruk Makto
  • Palulukan Makto
  • *****
  • *
  • *
  • Posts: 9804
  • de Germany
  • Karma: 321
  • Ke lu oeru kea krr krrtalun!
    • My YouTube Channel
Apache “Darkleech” Compromises
« on: April 03, 2013, 10:48:45 am »
Apache “Darkleech” Compromises

Dan Goodin, editor at Ars Technica, has been tracking and compiling info on an elusive series of website
compromises that could be impacting tens of thousands of otherwise perfectly legitimate sites. While
various researchers have reported various segments of the attacks, until Dan’s article, no one had
connected the dots and linked them all together.

Dubbed “Darkleech,” thousands of Web servers across the globe running Apache 2.2.2 and above
are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious
Apache modules. These modules are then used to turn hosted sites into attack sites, dynamically injecting
iframes in real-time, only at the moment of visit.

Because the iframes are dynamically injected only when the pages are accessed, this makes discovery
and remediation particularly difficult. Further, the attackers employ a sophisticated array of conditional
criteria to avoid detection:
   
  • Checking IP addresses and blacklisting security researchers, site owners, and the compromised hosting providers;
  • Checking User Agents to target specific operating systems (to date, Windows systems);
  • Blacklisting search engine spiders;
  • Checking cookies to “wait list” recent visitors;
  • Checking referrer URLs to ensure visitor is coming in via valid search engine results.

When the iframe is injected on the page, the convention used for the reference link in the
injected iframe is IP/hex/q.php. For example:

129.121.179.168/d42ee14e4af7a0a7b1033b8f8f1eb18a/q.php

The nature of the compromise coupled with the sophisticated conditional criteria presents
several challenges:
   
  • Website owners/operators will not be able to detect or clean the compromise as (a) it is not actually on their website, and (b) most will not have root-level access to the webserver;
  • Even if website owners/operators suspect the host server may be the source, they would still need to convince the hosting provider, who may discount their report;
  • Even if the hosting provider is responsive, the malicious Apache modules and associated SSHD backdoor may be difficult to ferret out, and the exact method will vary depending on server configuration;
  • Since SSHD is compromised, remediation of the attack and preventing further occurrences may require considerable procedural changes that, if not carried out properly, could cause a privilege lockout for valid administrators or be ineffective and lead to continued compromise.

The magnitude of the problem becomes clear when one considers how widespread these attacks are. The following chart illustrates the geographic
location of infected host servers observed from February 1–March 15, 2013.



Source: [Cisco Blogs]

-| Dict-Na'vi.com | Na'viteri Files | FAQ | LM | Puk Pxaw 'Rrta | Kem si fu kem rä'ä si, ke lu tìfmi. |-

Offline Human No More

  • Palulukan Makto
  • *****
  • *
  • Posts: 1591
  • Karma: 15
  • Misplaced.
    • Tree of Souls
Re: Apache “Darkleech” Compromises
« Reply #1 on: May 13, 2013, 05:29:07 pm »
I've heard of this referred to as cdorked as well - I've heard that in some cases, the vector is just root SSH brute force though, which any competently set up server is immune to - although of course, nothing stops there being others too. The main interesting part is that it leaves no signature on disk other than a modified apache/nginx/lighttpd binary (IIRC, it started off affecting apache but had been observed on other servers as well).
"I can barely remember my old life. I don't know who I am any more."

HNM, not 'Human' :)

Na'vi tattoo:
1 | 2 (finished) | 3
ToS: Human No More
dA
Personal site coming soon(ish

"God was invented to explain mystery. God is always invented to explain those things that you do not understand."
- Richard P. Feynman

 

Become LearnNavi's friend on Facebook Follow LearnNavi on Twitter! Watch LearnNavi's videos on YouTube

SMF 2.0.15 | SMF © 2017, Simple Machines
Privacy Policy
| XHTML | RSS | WAP2 | Site Rules

LearnNavi is not affiliated with the official Avatar website,
James Cameron, or the Twentieth Century-Fox Film Corporation.
All trademarks and servicemarks are the properties of their respective owners.
Images in the LearnNavi.org Forums and Gallery may not be used without permission.

LearnNavi Affiliates:
ToS

LearnNavi is the community to learn Na'vi, the Avatar Language
"A place where real friendships are made." -Paul Frommer

AvatarMeet | Learn Na'vi Forum | Learn Na'vi Wiki | Na'viteri

LearnNavi