Ongoing malware attack targets Apache

[Mousey]

You do not have permission to view link Log in or register now.

Tens of thousands of websites, some operated by The Los Angeles Times, Seagate, and other reputable companies, have recently come under the spell of "Darkleech," a mysterious exploitation toolkit that exposes visitors to potent malware attacks.

The ongoing attacks, estimated to have infected 20,000 websites in the past few weeks alone, are significant because of their success in targeting Apache, by far the Internet's most popular Web server software. Once it takes hold, Darkleech injects invisible code into webpages, which in turn surreptitiously opens a connection that exposes visitors to malicious third-party websites, researchers said. Although the attacks have been active since at least August, no one has been able to positively identify the weakness attackers are using to commandeer the Apache-based machines. Vulnerabilities in Plesk, Cpanel, or other software used to administer websites is one possibility, but researchers aren't ruling out the possibility of password cracking, social engineering, or attacks that exploit unknown bugs in frequently used applications and OSes.

Researchers also don't know precisely how many sites have been infected by Darkleech. The server malware employs a sophisticated array of conditions to determine when to inject malicious links into the webpages shown to end users.....

 

[Mousey]

Darkleech Apache Attacks Intensify

Outdated URL (Invalid)
Mathew J. Schwartz | April 30, 2013 01:57 PM

Hundreds of servers running Apache HTTP server software have been infected with a new malicious Linux backdoor known as "Cdorked." The malware appears to be connected to the so-called Darkleech attack campaign that's been using compromised servers and malicious Apache modules to launch drive-by attacks that target known browser vulnerabilities.

While Darkleech has been running for at least two months, attackers appear to still be upping their game. "Linux/Cdorked is one of the most sophisticated Apache backdoors we have seen so far," said Pierre-Marc Bureau, security intelligence program manager for security firm ESET, in a blog post that details how to identify and remediate servers infected by the malware.


Cdorked uses JavaScript to attack anyone browsing the website. If the attack is successful, the malware redirects the browser to another malicious website, where a crimeware toolkit attempts to further compromise the PC.....

 

[Webzcas]

This is actually quite worrying and at the same time sophisticated. I notice in that article they have quoted the security manager from ESET. From a personal perspective, the ESET anti virus software is the BEST on the market and I highly recommend it. I have it running on all my PC's. Well worth moving to if you don't already have it.

As for this malware, I would hope that anyone operating dedicated servers using management software such as cPanel or Plesk have them configured so auto updates are installed as and when the manufacturers release them.

This sounds like a living nightmare if it is indeed an exploit of apache and your server gets hit.

 

[Mousey]

Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd,

You do not have permission to view link Log in or register now.

Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet's most popular Web servers to push potent malware exploits on visitors.

Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because Eset sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.

"This is the first time I've seen an attack that will actually target different Web servers, meaning the attacker is willing to create the backdoor for Apache, Lightttp, and nginx," Pierre-Marc Bureau, Eset's security intelligence program manager, told Ars. "Somebody is running an operation that can victimize various Web servers
.....

 

[Mousey]

You do not have permission to view link Log in or register now.

A campaign that forces sites running the Apache Web server to install highly malicious software on visitor's PCs has compromised more than 40,000 Web addresses in the past nine months, 15,000 of them in the month of May alone.The figures, published Tuesday by researchers from antivirus provider Eset, are the latest indication that an attack on websites running the Internet's most popular Web server continues to build steam. Known as Darkleech, the rogue Apache module gets installed on compromised servers and turns legitimate websites into online mine fields that expose unsuspecting visitors to a host of dangerous exploits. More than 40,000 domains and website IPs have been commandeered since October, 15,000 of which were active at the same time in May, 2013 alone. In the last week alone, Eset has detected at least 270 different websites exposing users to attacks.

Sites that come under the spell of Darkleech redirect certain visitors to malicious websites that host attack code spawned by the notorious Blackhole exploit kit....

Eset's findings are also consistent with recent figures from Google showing that the vast majority of malware attacks are spawned from legitimate sites that have been hacked....

 

[naththo]

Oh no thats terrible. Thats why I noticed some website I visit were slow or unable to load. Last night one website would not load I visit regularly and I wasn't so sure whats going on. It was saying its taking too long to response. I was hoping it better not be under DoS or something.