httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mathijs <mathijs...@gmail.com>
Subject Re: [users@httpd] Cdorked.A backdoor
Date Thu, 02 May 2013 10:07:30 GMT
On Thu, May 2, 2013 at 10:09 AM, Miguel Gonzalez <miguel_3_gonzalez@yahoo.es
> wrote:

> Dear all,
>
>   I've been searching in the archives of the mailing list and I don't see
> any reference to the Cdorked.A backdoor:
>
>
> http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/?goback=.gde_3496714_member_236822728
>
>   Anyone knows any way of detecting the binary has been compromised?
>

Since the backdoor resides in shared memory, it can be detected by
inspecting this memory region.  A simple C program has been developed to
check the presence Cdorked.A backdoor in the shared memory, I have pasted
it here: http://apaste.info/01f9

I can't tell from experience if this has a 100% 'detection rate' for the
backdoor, but it looks like a solid way of checking your server for
infection.

(Credits to Marc-Etienne M.Léveillé <leveille@eset.com> for this utility)


>
>  Regards,
>
>  Miguel
>



-- 
Gr,

Mathijs

Mime
View raw message