Feeds

Apache attack drives traffic to malware

Blackhole redirect served by modified daemon binary

Security for virtualized datacentres

A security researcher is warning that an attack on the Apache Web server is increasingly showing up in the wild, and has published a free Python tool to check their configurations.

The attack is designed to avoid leaving disk footprints, according to this post analysing the backdoor. It exists as a modified httpd file that redirects HTTP requests to the well-known Blackhole exploit pack.

Redirected victims hitting the compromised server are remembered so they aren't redirected a second time. The redirection looks like the original URL, with a base64 encoded string added, used by the backdoor to record parameters describing the redirected client to ensure the right payload is delivered (for example, identifying if it had originally requested a Javascript file).

Apart from the modified httpd file, everything associated with the exploit exists only in 6 MB of shared memory, with configuration pushed through obfuscated HTTP requests to evade logging.

The analysis has identified 23 commands in the binary, all of them two-character hex bytes (DU, ST, T1 and so on). Thos commands are invoked by a POST command to a crafted URL including “SECID=” as a cookie header. As the author of the post, Pierre-Marc Bureau notes, “we believe the URLs to redirect clients are sent to the backdoor using this method. The redirection information will be stored encrypted in the allocated shared memory region.”

Other capabilities of the commands include:

  • Setting redirection conditions;
  • Whitelisting user agents; and
  • Blacklisting IP addresses to avoid detection.

Because the attack sets loose permissions on the shared directory, other processors can access it. This tool, dump_dcorked_config.py, verifies the presence of the shared memory region and dumps its contents into a file for analysis. ®

Beginner's guide to SSL certificates

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.