Date: Thu, 9 May 2013 15:12:54 -0700 From: pete wright <nomadlogic@gmail.com> To: Joshua Isom <jrisom@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Cdorked.A Message-ID: <CAGBmCT5w9y5MzFYybyTGfLADQKabrM3wtsNrdmA4sAzGC8Ffyg@mail.gmail.com> In-Reply-To: <518C1A84.20507@gmail.com> References: <518BDABF.7010401@intersonic.se> <518C1A84.20507@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 9, 2013 at 2:52 PM, Joshua Isom <jrisom@gmail.com> wrote: > On 5/9/2013 12:19 PM, Per olof Ljungmark wrote: >> >> Hi, >> >> Is Apache on FreeBSD affected? >> >> Thanks, > > > Technically, Apache isn't the problem. The hole's in cPanel probably, not > Apache. The attackers replace Apache, probably patching the source code and > replacing the host's with a trojaned copy. If they're patching the source > code, then yes, FreeBSD, Windows, OS X, Solaris, OpenBSD, et al are possibly > infected. > I am not sure that is the case from the research I have been doing on this topic. For example there are reports of it being detected on lighttpd, nginx and systems that do not use cpanel: http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ If anyone has a better rundown of this it would be great if you could point me in the right direction. I am having problems finding a proper examination/explanation of this backdoor. cheers, -pete -- pete wright www.nycbug.org @nomadlogicLA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGBmCT5w9y5MzFYybyTGfLADQKabrM3wtsNrdmA4sAzGC8Ffyg>