Malicious Linux/Cdorked.A Trojan in Compromised Web Servers
IntelliShield: Security Activity Bulletin
2013 April 30 21:03 GMT
2013 May 10 13:24 GMT
Additional information is available to describe the Linux/Cdorked.A trojan that is compromising web servers.
Linux/Cdorked.A is a trojan that could allow an unauthenticated, remote attacker to redirect users to malicious websites.
Reports indicate the Linux/Cdorked.A trojan affects hundreds of Apache web servers and it could be redirecting legitimate HTTP requests from affected hosts to malicious software on other websites created by the BlackHole Exploit Kit as described in Intellishield alert 25108.
Linux/Cdorked.A is a modified httpd binary that stores information in shared memory. Because the malicious binary only stores information in memory, no command and control information is stored on compromised systems, making the trojan difficult to detect and analyze. When it is present on an affected system, the malicious binary could allow attackers to connect to the affected systems through a reverse connect shell or through special commands that are triggered via HTTP requests. Reports also identified 23 commands in Linux/Cdorked.A that can be sent to compromised systems via a POST to a crafted URL.
An unauthenticated, remote attacker that is able to install Linux/Cdorked.A on a targeted system could use this trojan to redirect the user to malicious websites, allowing the attacker to launch further attacks.
Reports indicate that the Linux/Cdorked.A trojan appears on compromised systems in the wild.
Reports also indicate that nginx web server binaries are also found to be backdoored with Linux/Cdorked.A.
Administrators are advised to check and identify modified binaries in the httpd directory by searching for open_tty from within the directory. If open_tty is found in the Apache binary, it is likely that the system is compromised.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
The security vulnerability applies to the following combinations of products.
Security Activity Bulletin
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.