Topic
1 reply Latest Post - ‏2013-08-10T04:55:29Z by Jeff Saxton
martinc
martinc
4 Posts
ACCEPTED ANSWER

Pinned topic Linux/Cdorked.A analysis

‏2013-04-29T21:34:16Z |

I was about to start looking at creating an analysis to detect this, but from what I can see, it looks like I am going to have to create a fixlet to execute and then retrieve the contents. This link has information on the detection:

http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html

I see that in the doc it suggests the following two items that I could check for.

1. grep -r open_tty /usr/local/apache/

2. chattr -ai /usr/local/apache/bin/httpd

The first one is not an issue, but I cannot seem to find a method to get the second.

There is also a python script that can be executed (can be found at: http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/), but i was trying to avoid running scripts.

Thanks

Martin

Updated on 2013-04-29T21:34:27Z at 2013-04-29T21:34:27Z by martinc
  • Jeff Saxton
    Jeff Saxton
    21 Posts
    ACCEPTED ANSWER

    Re: Linux/Cdorked.A analysis

    ‏2013-08-10T04:55:29Z  in response to martinc

    At the current time you are stuck executing a script for #2 as there is currently no actionscript equivalent od the chattr command.