DarkLeech is affected on Apache 2.2.2 running servers and above. The
attackers infected the servers with an SSHD backdoor that enables them
to upload and configure malicious Apache modules that are, in turn, used
to inject malicious iFrames onto legitimate sites.
More information http://blog.sucuri.net/2013/06/new-apac ... ction.html
Remedy which I applied.
While checking the server I found "mod_suphp5.so" which is a fake module. removed so file and removed the links to so file from confs and done an easyapache again.
[/etc/httpd]# find . -name mod_suphp5.so
./modules/mod_suphp5.so
http://blog.sucuri.net/2013/04/apache-b ... rvers.html
What is Darkleech Attack ?
- insert frames in php, html,js
frame delivered to unique users only, no frame on repeat. << known anti-forensics. Interesting, how this implemented here, external logs or based on Apache2?
- possibility framing of traffic, that came from search engines only << looks like again Referer field?
- different modes of framing – low, standard, aggressive
- update of malicious frame from external URL
- Admins of webserver, that have ssh access to it, excluded from frame delivery. System also able to detect Admin’s IP by URL of administrative access and ban Admin IP from framing procedure.
- When root or any user in sudo group login into server, module transfer to “quiet mode”, and only when IP of the admin banned or filtered out, server proceed with infecting visitors.
- users filtered out by origin, OS version, local IP requests etc. << this is based on User-Agent, as far as I understand.
- When module detect any suspicious process in memory(tcpdump, rkhunter etc), it stop the activity
- option to encryption of framing.
As seller claim, module was used in private for 2 last years, now available for sell. Current version is 14.0
Mode written in C and PHP
Solution:
check Apache2 config files for unknown modules upload.
In case You already found malicious module remove it
More information http://blog.sucuri.net/2013/06/new-apac ... ction.html
Remedy which I applied.
While checking the server I found "mod_suphp5.so" which is a fake module. removed so file and removed the links to so file from confs and done an easyapache again.
[/etc/httpd]# find . -name mod_suphp5.so
./modules/mod_suphp5.so
http://blog.sucuri.net/2013/04/apache-b ... rvers.html
What is Darkleech Attack ?
- insert frames in php, html,js
frame delivered to unique users only, no frame on repeat. << known anti-forensics. Interesting, how this implemented here, external logs or based on Apache2?
- possibility framing of traffic, that came from search engines only << looks like again Referer field?
- different modes of framing – low, standard, aggressive
- update of malicious frame from external URL
- Admins of webserver, that have ssh access to it, excluded from frame delivery. System also able to detect Admin’s IP by URL of administrative access and ban Admin IP from framing procedure.
- When root or any user in sudo group login into server, module transfer to “quiet mode”, and only when IP of the admin banned or filtered out, server proceed with infecting visitors.
- users filtered out by origin, OS version, local IP requests etc. << this is based on User-Agent, as far as I understand.
- When module detect any suspicious process in memory(tcpdump, rkhunter etc), it stop the activity
- option to encryption of framing.
As seller claim, module was used in private for 2 last years, now available for sell. Current version is 14.0
Mode written in C and PHP
Solution:
check Apache2 config files for unknown modules upload.
In case You already found malicious module remove it
No comments:
Post a Comment