You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Miguel Gonzalez <mi...@yahoo.es> on 2013/05/02 10:09:34 UTC

[users@httpd] Cdorked.A backdoor

Dear all,

  I've been searching in the archives of the mailing list and I don't see any reference to the Cdorked.A backdoor:

  http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/?goback=.gde_3496714_member_236822728

  Anyone knows any way of detecting the binary has been compromised? 


 Regards,

 Miguel

Re: [users@httpd] Cdorked.A backdoor

Posted by Mathijs <ma...@gmail.com>.

On Thu, May 2, 2013 at 10:09 AM, Miguel Gonzalez <miguel_3_gonzalez@yahoo.es
> wrote:

> Dear all,
>
>   I've been searching in the archives of the mailing list and I don't see
> any reference to the Cdorked.A backdoor:
>
>
> http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/?goback=.gde_3496714_member_236822728
>
>   Anyone knows any way of detecting the binary has been compromised?
>

Since the backdoor resides in shared memory, it can be detected by
inspecting this memory region.  A simple C program has been developed to
check the presence Cdorked.A backdoor in the shared memory, I have pasted
it here: http://apaste.info/01f9

I can't tell from experience if this has a 100% 'detection rate' for the
backdoor, but it looks like a solid way of checking your server for
infection.

(Credits to Marc-Etienne M.Léveillé <le...@eset.com> for this utility)

>
>  Regards,
>
>  Miguel
>

-- 
Gr,

Mathijs