Topic
  • 5 replies
  • Latest Post - ‏2013-05-03T19:22:13Z by Sunit
NPfister
NPfister
43 Posts

Pinned topic Linux/Cdorked.A

‏2013-04-30T17:56:07Z |

Hello;

I was just wondering, since IBM HTTP Server is based on Apache, does the Linux/Cdorked.A vulnerability apply to the IBM HTTP Server?  I would assume that it does, but wanted to ask to be sure.

Thanks

  • Sunit
    Sunit
    209 Posts
    ACCEPTED ANSWER

    Re: Linux/Cdorked.A

    ‏2013-05-01T12:27:57Z  

    This appears to be an issue where users have installed a compromised Apache binary. I am yet to find anything that says Apache itself is vulnerable.

    As to how compromised apache binary got installed is a matter of speculation.

     

    ---Sunit

  • Sunit
    Sunit
    209 Posts

    Re: Linux/Cdorked.A

    ‏2013-05-01T12:27:57Z  

    This appears to be an issue where users have installed a compromised Apache binary. I am yet to find anything that says Apache itself is vulnerable.

    As to how compromised apache binary got installed is a matter of speculation.

     

    ---Sunit

  • NPfister
    NPfister
    43 Posts

    Re: Linux/Cdorked.A

    ‏2013-05-01T12:51:36Z  
    • Sunit
    • ‏2013-05-01T12:27:57Z

    This appears to be an issue where users have installed a compromised Apache binary. I am yet to find anything that says Apache itself is vulnerable.

    As to how compromised apache binary got installed is a matter of speculation.

     

    ---Sunit

    Sunit,

     

    Upon having read a little more about this vulnerability, I would agree.  That leaves one question:

    Assuming that the compromised binary were to be installed via an SSH attack (as is speculated on a few sources)...would IBM HTTP Server run on said compromised binary, this being vulnerable to this infection?

    Thanks;
    Nathan Pfister

  • Sunit
    Sunit
    209 Posts

    Re: Linux/Cdorked.A

    ‏2013-05-01T14:15:47Z  
    • NPfister
    • ‏2013-05-01T12:51:36Z

    Sunit,

     

    Upon having read a little more about this vulnerability, I would agree.  That leaves one question:

    Assuming that the compromised binary were to be installed via an SSH attack (as is speculated on a few sources)...would IBM HTTP Server run on said compromised binary, this being vulnerable to this infection?

    Thanks;
    Nathan Pfister

    If an attacker has access to the server where he/she can change a binary that should be owned by root (but in many cases is not as it does not have to be), then the attacker can easily replace IHS with base Apache. As to whether just the apache binary can work with ibm modules without a recompile, I am not sure. Perhaps Eric can answer that question.

    --Sunit

  • Eric Covener
    Eric Covener
    144 Posts

    Re: Linux/Cdorked.A

    ‏2013-05-03T16:05:47Z  

    Sorry for not responding earlier, but since I've lost RSS access for this forum I've basically given up on it.

    If httpd is patched, it may continue to work. \

    If httpd is replaced, it's likely that the server would no longer work (assuming that mod_ibm_ssl is loaded. This is because mod_ibm_ssl uses proprietary integration into he core of httpd.

    If they replace the entire distribution/component, there'd be some extra difficulty with maintaining SSL capability.

     

  • Sunit
    Sunit
    209 Posts

    Re: Linux/Cdorked.A

    ‏2013-05-03T19:22:13Z  

    Sorry for not responding earlier, but since I've lost RSS access for this forum I've basically given up on it.

    If httpd is patched, it may continue to work. \

    If httpd is replaced, it's likely that the server would no longer work (assuming that mod_ibm_ssl is loaded. This is because mod_ibm_ssl uses proprietary integration into he core of httpd.

    If they replace the entire distribution/component, there'd be some extra difficulty with maintaining SSL capability.

     

    Eric,

     I think the feed URL was changed recently. After noticing no updates to various feeds I subscribe to I did some digging and the new feed URL is:
     

    https://www.ibm.com/developerworks/community/forums/atom/entries?forumUuid=11111111-0000-0000-0000-000000000287

     

    --Sunit