You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by M Eashwar <to...@gmail.com> on 2013/05/02 09:21:04 UTC
Attacks in Apache servers
Hi,
Anyone attacked with reference to below URL?
http://efytimes.com/e1/fullnews.asp?edid=105167&ntype=mor&edate=4/29/2013
Re: Attacks in Apache servers
Posted by M Eashwar <to...@gmail.com>.
Hi All,
Thanks for your views.
It seems to be like very difficult to come for a conclusion :-)
Regards
Eashwar
On Thu, May 2, 2013 at 11:08 PM, David N. Smith <da...@cornell.edu>wrote:
> >
> > Didn't you know that 'rm' was vulnerable on Linux?!?!
> >
> > An attacker with escalated privileges can -- through clever use of
> > this misunderstood command with code so complicated, that this
> > enormous vulnerability went unnoticed for decades -- wreak havoc on
> > any Linux system connected to the iterwebs. The only plausible
> > mitigation of this egregious vulnerability is to uninstall the 'rm'
> > package or switch to a more secure OS.
> >
>
> I think the vulnerability is limited to versions that support the options
> -r and -f. ;-)
>
> -- David
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Attacks in Apache servers
Posted by "David N. Smith" <da...@cornell.edu>.
>
> Didn't you know that 'rm' was vulnerable on Linux?!?!
>
> An attacker with escalated privileges can -- through clever use of
> this misunderstood command with code so complicated, that this
> enormous vulnerability went unnoticed for decades -- wreak havoc on
> any Linux system connected to the iterwebs. The only plausible
> mitigation of this egregious vulnerability is to uninstall the 'rm'
> package or switch to a more secure OS.
>
I think the vulnerability is limited to versions that support the options -r and -f. ;-)
-- David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Attacks in Apache servers
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 5/2/13 7:42 AM, Mark Thomas wrote:
> On 02/05/2013 12:29, Jess Holle wrote:
>> http://blogs.cisco.com/security/linuxcdorked-faqs/ claims this is
>> not a cPanel vulnerability per se...
>
> To quote the relevant part of that article:
>
> <quote> How are attackers gaining access to the host servers? How
> the attackers are gaining root access to begin with is a separate
> matter, still unresolved. Attackers may have stolen login
> credentials via phishing, or via a localized infection on a
> management system, or simply by brute-force guessing the login.
> </quote>
>
> httpd is simply the vehicle the attackers are using to run their
> malware *once they already have root access*
>
> There is no Apache http vulnerability to see here. Move along. Move
> along.
Didn't you know that 'rm' was vulnerable on Linux?!?!
An attacker with escalated privileges can -- through clever use of
this misunderstood command with code so complicated, that this
enormous vulnerability went unnoticed for decades -- wreak havoc on
any Linux system connected to the iterwebs. The only plausible
mitigation of this egregious vulnerability is to uninstall the 'rm'
package or switch to a more secure OS.
...
The fact that this exploit is being called Linux/CDorked leads me to
believe that cPanel is definitely the vector. Why the attackers
decided to use httpd and not the gopher-over-uucp service is beyond me.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJRgqIuAAoJEBzwKT+lPKRYCloQAKEUioBthFMYvLPkCk41B+pb
fVXyMwouHbG3HrJzzt8AP+7PtcJvqRwtsBYjOlzrxlbUyOhusKsucZGGAgy4ftWz
aH8iVRFenU43y5yd3GEep0eS8WaRpc9SFqGN/lEVElAQgR0ukK3iZqJUlskN8tra
x4mthXTtBGrPgA5L4lwZtkSasrqO74QrjNCqQ1lXKWDpB16HCi16DyTNCF3tGXV3
wuCIr7HtHdNHS0gbK+7yq0K02BArBj+HQ7ol13h6KIYGGhlLtehRD7e+gY1nfdQ7
ILwrX/knzQV/R6X+x4L1vP7sHI4nYjROVPtj3R15JB/Dcvj2F1wdiYulk8AYLfQD
3caDOzt616MKvWU4rQTtVlAWKkIcsHCyka2KGn8Yb+e2EYx2nd6p5SDGw87gxvgv
Er/nrlHbIjMZfbvkcrMF/jgKx7CVA2lqpqBleUCjBJUoBxCz57AoaBvq6PiEKySJ
kflCiSAA/Z6zoHl5Pt0Dzjd6We4bEohdWiMQNbFCZCLnrliqBK5Zls7Kww7k4QZ8
z/zDyJ2sT/NZIAwdVj/tafZq5pS8tp6FzPo7WOGTC8F+SAzqPAlgh8SAsgAZHMGs
iY7oocCu5C/3hfAtgcGDJIPhLIbb7Eyi3Fyi/0olP6v4RqxrumH+i1EfgKuV58uP
r3NWLf3DUOhP+nf+08Ix
=kyVJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Attacks in Apache servers
Posted by Mark Thomas <ma...@apache.org>.
On 02/05/2013 12:29, Jess Holle wrote:
> http://blogs.cisco.com/security/linuxcdorked-faqs/ claims this is not a
> cPanel vulnerability per se...
To quote the relevant part of that article:
<quote>
How are attackers gaining access to the host servers?
How the attackers are gaining root access to begin with is a separate
matter, still unresolved. Attackers may have stolen login credentials
via phishing, or via a localized infection on a management system, or
simply by brute-force guessing the login.
</quote>
httpd is simply the vehicle the attackers are using to run their malware
*once they already have root access*
There is no Apache http vulnerability to see here. Move along. Move along.
Mark
>
> On 5/2/2013 6:22 AM, Darryl Lewis wrote:
>> "Last Friday (April 26), ESET and Sucuri simultaneously blogged about the
>> discovery of Linux/Cdorked, a backdoor impacting Apache servers running
>> cPanel." -http://blogs.cisco.com/security/linuxcdorked-faqs/
>>
>> So it looks like an cPanel application vulnerability, not an Apache
>> vulnerability. The title of that first article in simple WRONG.
>> And seriously, who manages a site via cPanel? If you use cPanel, maybe
>> linux isn't a good fit for you.
>>
>>
>> On 2/05/13 7:48 PM, "Brian Burch" <br...@pingtoo.com> wrote:
>>
>>> On 02/05/13 09:32, André Warnier wrote:
>>>> M Eashwar wrote:
>>>>> Hi,
>>>>>
>>>>> Anyone attacked with reference to below URL?
>>>>>
>>>>>
>>>>> http://efytimes.com/e1/fullnews.asp?edid=105167&ntype=mor&edate=4/29/201
>>>>>
>>>>> 3
>>>>>
>>>> Never heard of "EFYtimes" before, but considering what I have been
>>>> reading lately about bots, I would advise a modicum of caution before
>>>> following this link.
>>>> (And also maybe a modicum of healthy scepticism about that news article
>>>> itself).
>>> This vulnerability applies only to apache httpd and is not relevant to
>>> tomcat.
>>>
>>> ALSO, it only applies to apache httpd when installed via a third-party
>>> automated management system that is reported to not verify the digital
>>> signature of the binary... which would be very negligent.
>>>
>>> You should always verify apache packages against the published
>>> signatures. Although linux distribution rpm and deb packages are
>>> automatically verified during installation, we strongly recommend
>>> installing packages directly from the official apache distribution
>>> servers and then verifying the signature yourself - prior to
>>> installation!
>>>
>>> Regards,
>>>
>>> Brian
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> .
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Attacks in Apache servers
Posted by Jess Holle <je...@ptc.com>.
http://blogs.cisco.com/security/linuxcdorked-faqs/ claims this is not a
cPanel vulnerability per se...
On 5/2/2013 6:22 AM, Darryl Lewis wrote:
> "Last Friday (April 26), ESET and Sucuri simultaneously blogged about the
> discovery of Linux/Cdorked, a backdoor impacting Apache servers running
> cPanel." -http://blogs.cisco.com/security/linuxcdorked-faqs/
>
> So it looks like an cPanel application vulnerability, not an Apache
> vulnerability. The title of that first article in simple WRONG.
> And seriously, who manages a site via cPanel? If you use cPanel, maybe
> linux isn't a good fit for you.
>
>
> On 2/05/13 7:48 PM, "Brian Burch" <br...@pingtoo.com> wrote:
>
>> On 02/05/13 09:32, André Warnier wrote:
>>> M Eashwar wrote:
>>>> Hi,
>>>>
>>>> Anyone attacked with reference to below URL?
>>>>
>>>>
>>>> http://efytimes.com/e1/fullnews.asp?edid=105167&ntype=mor&edate=4/29/201
>>>> 3
>>>>
>>> Never heard of "EFYtimes" before, but considering what I have been
>>> reading lately about bots, I would advise a modicum of caution before
>>> following this link.
>>> (And also maybe a modicum of healthy scepticism about that news article
>>> itself).
>> This vulnerability applies only to apache httpd and is not relevant to
>> tomcat.
>>
>> ALSO, it only applies to apache httpd when installed via a third-party
>> automated management system that is reported to not verify the digital
>> signature of the binary... which would be very negligent.
>>
>> You should always verify apache packages against the published
>> signatures. Although linux distribution rpm and deb packages are
>> automatically verified during installation, we strongly recommend
>> installing packages directly from the official apache distribution
>> servers and then verifying the signature yourself - prior to installation!
>>
>> Regards,
>>
>> Brian
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> .
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Attacks in Apache servers
Posted by Darryl Lewis <da...@unsw.edu.au>.
"Last Friday (April 26), ESET and Sucuri simultaneously blogged about the
discovery of Linux/Cdorked, a backdoor impacting Apache servers running
cPanel." -http://blogs.cisco.com/security/linuxcdorked-faqs/
So it looks like an cPanel application vulnerability, not an Apache
vulnerability. The title of that first article in simple WRONG.
And seriously, who manages a site via cPanel? If you use cPanel, maybe
linux isn't a good fit for you.
On 2/05/13 7:48 PM, "Brian Burch" <br...@pingtoo.com> wrote:
>On 02/05/13 09:32, André Warnier wrote:
>> M Eashwar wrote:
>>> Hi,
>>>
>>> Anyone attacked with reference to below URL?
>>>
>>>
>>>http://efytimes.com/e1/fullnews.asp?edid=105167&ntype=mor&edate=4/29/201
>>>3
>>>
>>
>> Never heard of "EFYtimes" before, but considering what I have been
>> reading lately about bots, I would advise a modicum of caution before
>> following this link.
>> (And also maybe a modicum of healthy scepticism about that news article
>> itself).
>
>This vulnerability applies only to apache httpd and is not relevant to
>tomcat.
>
>ALSO, it only applies to apache httpd when installed via a third-party
>automated management system that is reported to not verify the digital
>signature of the binary... which would be very negligent.
>
>You should always verify apache packages against the published
>signatures. Although linux distribution rpm and deb packages are
>automatically verified during installation, we strongly recommend
>installing packages directly from the official apache distribution
>servers and then verifying the signature yourself - prior to installation!
>
>Regards,
>
>Brian
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Attacks in Apache servers
Posted by Brian Burch <br...@pingtoo.com>.
On 02/05/13 09:32, André Warnier wrote:
> M Eashwar wrote:
>> Hi,
>>
>> Anyone attacked with reference to below URL?
>>
>> http://efytimes.com/e1/fullnews.asp?edid=105167&ntype=mor&edate=4/29/2013
>>
>
> Never heard of "EFYtimes" before, but considering what I have been
> reading lately about bots, I would advise a modicum of caution before
> following this link.
> (And also maybe a modicum of healthy scepticism about that news article
> itself).
This vulnerability applies only to apache httpd and is not relevant to
tomcat.
ALSO, it only applies to apache httpd when installed via a third-party
automated management system that is reported to not verify the digital
signature of the binary... which would be very negligent.
You should always verify apache packages against the published
signatures. Although linux distribution rpm and deb packages are
automatically verified during installation, we strongly recommend
installing packages directly from the official apache distribution
servers and then verifying the signature yourself - prior to installation!
Regards,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Attacks in Apache servers
Posted by André Warnier <aw...@ice-sa.com>.
M Eashwar wrote:
> Hi,
>
> Anyone attacked with reference to below URL?
>
> http://efytimes.com/e1/fullnews.asp?edid=105167&ntype=mor&edate=4/29/2013
>
Never heard of "EFYtimes" before, but considering what I have been reading lately about
bots, I would advise a modicum of caution before following this link.
(And also maybe a modicum of healthy scepticism about that news article itself).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org