From owner-freebsd-questions@FreeBSD.ORG Fri May 10 09:27:31 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F0B623C9 for ; Fri, 10 May 2013 09:27:31 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 777A5D19 for ; Fri, 10 May 2013 09:27:31 +0000 (UTC) Received: from vhoffman.lon.namesco.net (lon.namesco.net [195.7.254.102]) (authenticated bits=0) by unsane.co.uk (8.14.7/8.14.6) with ESMTP id r4A9RRfa020212 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 10 May 2013 10:27:28 +0100 (BST) (envelope-from vince@unsane.co.uk) Message-ID: <518CBD7F.1050006@unsane.co.uk> Date: Fri, 10 May 2013 10:27:27 +0100 From: Vincent Hoffman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: pete wright Subject: Re: Cdorked.A References: <518BDABF.7010401@intersonic.se> <518C1A84.20507@gmail.com> In-Reply-To: X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Joshua Isom , freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 May 2013 09:27:32 -0000 On 09/05/2013 23:12, pete wright wrote: > On Thu, May 9, 2013 at 2:52 PM, Joshua Isom wrote: >> On 5/9/2013 12:19 PM, Per olof Ljungmark wrote: >>> Hi, >>> >>> Is Apache on FreeBSD affected? >>> >>> Thanks, >> >> Technically, Apache isn't the problem. The hole's in cPanel probably, not >> Apache. The attackers replace Apache, probably patching the source code and >> replacing the host's with a trojaned copy. If they're patching the source >> code, then yes, FreeBSD, Windows, OS X, Solaris, OpenBSD, et al are possibly >> infected. >> > I am not sure that is the case from the research I have been doing on > this topic. For example there are reports of it being detected on > lighttpd, nginx and systems that do not use cpanel: > > > http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ > > > If anyone has a better rundown of this it would be great if you could > point me in the right direction. I am having problems finding a > proper examination/explanation of this backdoor. As far as I can follow from the articles I have read the exploit involves replacing the apache/lighttpd/nginx binary, this should require root privileges which indicates you have much bigger problems anyway. As Joshua's reply stated they seem to be patching apache/lighttpd/nginx so in theory at least cdorked could probably be complied for FreeBSD, however as yet I haven't heard of any cases of this happening, my guess at this time would be that the malicious binaries have only been compiled for Linux since this has a much greater deployed base to attack. Vince > > cheers, > -pete > > > -- > pete wright > www.nycbug.org > @nomadlogicLA > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"