Exclusive: Ongoing malware attack targeting Apache hijacks 20,000 sites

Discussion in 'malware problems & news' started by ronjor, Apr 2, 2013.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    http://arstechnica.com/security/201...-attack-targeting-apache-hijacks-20000-sites/
     
  2. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Wow, this is really bad. It looks like all of the work that the attackers used to not get caught is paying off. Its smart to not try to infect every single site visitor. Using IP addresses and other criteria to decide who to hit and who to leave alone makes tracking this much harder.

    Software vulnerabilities are bad enough. Suspected but unknown vulnerabilities are much worse.
     
  3. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Finally got around to a site with q.php lit on it - it's the blackhole exploit kit for anyone interested in knowing what the payload is. Second attempt at the site failed to deliver it, as described in the article. Apparently there's additional code operating it on the server side which is why it isn't showing up in the html coming from Apache ...

    No worries playing with bad stuff on this end, so was curious as to what it was.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Oh... really? :rolleyes: I don't see anything new... So, even if website A gets infected with the exploit code/some other code and redirects to B to the actual payload/exploit code + payload, if access to B is not allowed, then nothing will happen.

    That's my current approach, when browsing.

    Example: Unless Wilderssecurity itself becomes compromised to the point of hosting the actual payload, my browser session won't allow any other communication other than to www.wilderssecurity.com and its respective IP address.

    The same for my other profiles, including the general browser profile, which only a small amount of websites/domains are allowed to be connected to.

    This without resorting to other means of securing a user, which are also a possibility.
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    http://arstechnica.com/security/201...pache-websites-is-invisible-to-the-naked-eye/
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    http://www.welivesecurity.com/2013/...apache-backdoor-in-the-wild-serves-blackhole/
     
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  8. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    http://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/
     
  9. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
  10. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    http://www.welivesecurity.com/2013/...lighttpd-and-nginx-web-servers-also-affected/
     
  11. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://research.zscaler.com/2013/05/darkleech-attack-continues-to-grow.html
     
  12. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://blog.sucuri.net/2013/06/new-apache-module-injection.html
     
  13. asr

    asr Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    91
  14. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
Loading...
Thread Status:
Not open for further replies.