Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 9 May 2013 15:12:54 -0700
From:      pete wright <nomadlogic@gmail.com>
To:        Joshua Isom <jrisom@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Cdorked.A
Message-ID:  <CAGBmCT5w9y5MzFYybyTGfLADQKabrM3wtsNrdmA4sAzGC8Ffyg@mail.gmail.com>
In-Reply-To: <518C1A84.20507@gmail.com>
References:  <518BDABF.7010401@intersonic.se> <518C1A84.20507@gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, May 9, 2013 at 2:52 PM, Joshua Isom <jrisom@gmail.com> wrote:
> On 5/9/2013 12:19 PM, Per olof Ljungmark wrote:
>>
>> Hi,
>>
>> Is Apache on FreeBSD affected?
>>
>> Thanks,
>
>
> Technically, Apache isn't the problem.  The hole's in cPanel probably, not
> Apache.  The attackers replace Apache, probably patching the source code and
> replacing the host's with a trojaned copy.  If they're patching the source
> code, then yes, FreeBSD, Windows, OS X, Solaris, OpenBSD, et al are possibly
> infected.
>

I am not sure that is the case from the research I have been doing on
this topic.  For example there are reports of it being detected on
lighttpd, nginx and systems that do not use cpanel:


http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/


If anyone has a better rundown of this it would be great if you could
point me in the right direction.  I am having problems finding a
proper examination/explanation of this backdoor.


cheers,
-pete


--
pete wright
www.nycbug.org
@nomadlogicLA



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAGBmCT5w9y5MzFYybyTGfLADQKabrM3wtsNrdmA4sAzGC8Ffyg>