Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Security Activity Bulletin

Malicious Linux/Cdorked.A Trojan in Compromised Web Servers

 
Threat Type:IntelliShield: Security Activity Bulletin
IntelliShield ID:29133
Version:2
First Published:2013 April 30 21:03 GMT
Last Published:2013 May 10 13:24 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:Additional information is available to describe the Linux/Cdorked.A trojan that is compromising web servers.
 

Description
 
Linux/Cdorked.A is a trojan that could allow an unauthenticated, remote attacker to redirect users to malicious websites.

Reports indicate the Linux/Cdorked.A trojan affects hundreds of Apache web servers and it could be redirecting legitimate HTTP requests from affected hosts to malicious software on other websites created by the BlackHole Exploit Kit as described in Intellishield alert 25108.

Linux/Cdorked.A is a modified httpd binary that stores information in shared memory. Because the malicious binary only stores information in memory, no command and control information is stored on compromised systems, making the trojan difficult to detect and analyze. When it is present on an affected system, the malicious binary could allow attackers to connect to the affected systems through a reverse connect shell or through special commands that are triggered via HTTP requests. Reports also identified 23 commands in Linux/Cdorked.A that can be sent to compromised systems via a POST to a crafted URL.

An unauthenticated, remote attacker that is able to install Linux/Cdorked.A on a targeted system could use this trojan to redirect the user to malicious websites, allowing the attacker to launch further attacks.

Reports indicate that the Linux/Cdorked.A trojan appears on compromised systems in the wild.

Reports also indicate that nginx web server binaries are also found to be backdoored with Linux/Cdorked.A.

Administrators are advised to check and identify modified binaries in the httpd directory by searching for open_tty from within the directory. If open_tty is found in the Apache binary, it is likely that the system is compromised.

Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.

Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
41706/1Blackhole Exploit Kit PropagationS7152013 May 07 
 
Alert History
 

Version 1, April 30, 2013, 9:03 PM: Linux/Cdorked.A is an Apache trojan that could allow an unauthenticated, remote attacker to redirect users to malicious websites.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldSecurity Activity Bulletin Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield