Topic
5 replies Latest Post - ‏2013-05-03T19:22:13Z by Sunit
NPfister
NPfister
43 Posts
ACCEPTED ANSWER

Pinned topic Linux/Cdorked.A

‏2013-04-30T17:56:07Z |

Hello;

I was just wondering, since IBM HTTP Server is based on Apache, does the Linux/Cdorked.A vulnerability apply to the IBM HTTP Server?  I would assume that it does, but wanted to ask to be sure.

Thanks

  • Sunit
    Sunit
    182 Posts
    ACCEPTED ANSWER

    Re: Linux/Cdorked.A

    ‏2013-05-01T12:27:57Z  in response to NPfister

    This appears to be an issue where users have installed a compromised Apache binary. I am yet to find anything that says Apache itself is vulnerable.

    As to how compromised apache binary got installed is a matter of speculation.

     

    ---Sunit

    • NPfister
      NPfister
      43 Posts
      ACCEPTED ANSWER

      Re: Linux/Cdorked.A

      ‏2013-05-01T12:51:36Z  in response to Sunit

      Sunit,

       

      Upon having read a little more about this vulnerability, I would agree.  That leaves one question:

      Assuming that the compromised binary were to be installed via an SSH attack (as is speculated on a few sources)...would IBM HTTP Server run on said compromised binary, this being vulnerable to this infection?

      Thanks;
      Nathan Pfister

      • Sunit
        Sunit
        182 Posts
        ACCEPTED ANSWER

        Re: Linux/Cdorked.A

        ‏2013-05-01T14:15:47Z  in response to NPfister

        If an attacker has access to the server where he/she can change a binary that should be owned by root (but in many cases is not as it does not have to be), then the attacker can easily replace IHS with base Apache. As to whether just the apache binary can work with ibm modules without a recompile, I am not sure. Perhaps Eric can answer that question.

        --Sunit

  • Eric Covener
    Eric Covener
    72 Posts
    ACCEPTED ANSWER

    Re: Linux/Cdorked.A

    ‏2013-05-03T16:05:47Z  in response to NPfister

    Sorry for not responding earlier, but since I've lost RSS access for this forum I've basically given up on it.

    If httpd is patched, it may continue to work. \

    If httpd is replaced, it's likely that the server would no longer work (assuming that mod_ibm_ssl is loaded. This is because mod_ibm_ssl uses proprietary integration into he core of httpd.

    If they replace the entire distribution/component, there'd be some extra difficulty with maintaining SSL capability.