[ale] Apache exploit

Jim Kinney jim.kinney at gmail.com
Tue Apr 2 16:37:42 EDT 2013


from the malware must die

The malware was found in web server systems with below characteristic:
? <http://malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html#>
1
2
3
Linux RedHat-base distribution without SE Linux properly set
Apache httpd web server 2.x (rpm-base, as per it is)
Cgi-base web admin panel and/or Wordpress system's served

I'm assuming then that ALL 3 must be present for this process to occur.

from much further down:
"It looks like the attackers were beforehand well-prepared with some
penetration method to gain web exploitation which were used to gain shell
access and did the privilege escalation unto root. (I am not allowed to
expose this detail further at this moment)."

So run your web server with selinux in enforcing mode. It stops crap like
this. Apparmor works similarly but not as fine-grained.


On Tue, Apr 2, 2013 at 4:23 PM, David Tomaschik <david at systemoverlord.com>wrote:

> Based on the analysis from the Malware Must Die Blog and some other things
> I've heard about this, it looks like the original source of compromise is
> most likely Plesk or CPanel.  Doesn't look like there's any Apache
> vulnerability being exploited, so Apparmor around Apache wouldn't mitigate
> *this* attack.
>
>
> On Tue, Apr 2, 2013 at 1:10 PM, Beddingfield, Allen <allen at ua.edu> wrote:
>
>> I was just wondering if any of you had encountered this one/were aware of
>> it.  I don't see any references to CVE's or hard details, aside from the
>> analysis in the third link.  Maybe it is time to move putting Apparmor
>> around Apache on our web servers higher to the top of the to-do list.
>>
>>
>>
>> http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/
>>
>> https://news.ycombinator.com/item?id=5479812
>>
>>
>> http://malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html
>>
>> Allen B.
>> --
>> Allen Beddingfield
>> Systems Engineer
>> The University of Alabama
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
-- 
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://electjimkinney.org
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130402/513378f7/attachment.html>


More information about the Ale mailing list