Linux/Cdorked.A is a trojan that could allow an unauthenticated, remote attacker to redirect users to malicious websites.
Reports indicate the Linux/Cdorked.A trojan affects hundreds of Apache web servers and it could be redirecting legitimate HTTP requests from affected hosts to malicious software on other websites created by the BlackHole Exploit Kit as described in Intellishield alert 25108
Linux/Cdorked.A is a modified httpd
binary that stores information in shared memory. Because the malicious binary only stores information in memory, no command and control information is stored on compromised systems, making the trojan difficult to detect and analyze. When it is present on an affected system, the malicious binary could allow attackers to connect to the affected systems through a reverse connect shell or through special commands that are triggered via HTTP requests. Reports also identified 23 commands in Linux/Cdorked.A that can be sent to compromised systems via a POST to a crafted URL.
An unauthenticated, remote attacker that is able to install Linux/Cdorked.A on a targeted system could use this trojan to redirect the user to malicious websites, allowing the attacker to launch further attacks.
Reports indicate that the Linux/Cdorked.A trojan appears on compromised systems in the wild.
Reports also indicate that nginx web server binaries are also found to be backdoored with Linux/Cdorked.A.
Administrators are advised to check and identify modified binaries in the httpd
directory by searching for open_tty
from within the directory. If open_tty
is found in the Apache binary, it is likely that the system is compromised.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.