Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 May 2013 10:27:27 +0100
From:      Vincent Hoffman <vince@unsane.co.uk>
To:        pete wright <nomadlogic@gmail.com>
Cc:        Joshua Isom <jrisom@gmail.com>, freebsd-questions@freebsd.org
Subject:   Re: Cdorked.A
Message-ID:  <518CBD7F.1050006@unsane.co.uk>
In-Reply-To: <CAGBmCT5w9y5MzFYybyTGfLADQKabrM3wtsNrdmA4sAzGC8Ffyg@mail.gmail.com>
References:  <518BDABF.7010401@intersonic.se> <518C1A84.20507@gmail.com> <CAGBmCT5w9y5MzFYybyTGfLADQKabrM3wtsNrdmA4sAzGC8Ffyg@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 09/05/2013 23:12, pete wright wrote:
> On Thu, May 9, 2013 at 2:52 PM, Joshua Isom <jrisom@gmail.com> wrote:
>> On 5/9/2013 12:19 PM, Per olof Ljungmark wrote:
>>> Hi,
>>>
>>> Is Apache on FreeBSD affected?
>>>
>>> Thanks,
>>
>> Technically, Apache isn't the problem.  The hole's in cPanel probably, not
>> Apache.  The attackers replace Apache, probably patching the source code and
>> replacing the host's with a trojaned copy.  If they're patching the source
>> code, then yes, FreeBSD, Windows, OS X, Solaris, OpenBSD, et al are possibly
>> infected.
>>
> I am not sure that is the case from the research I have been doing on
> this topic.  For example there are reports of it being detected on
> lighttpd, nginx and systems that do not use cpanel:
>
>
> http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/
>
>
> If anyone has a better rundown of this it would be great if you could
> point me in the right direction.  I am having problems finding a
> proper examination/explanation of this backdoor.
As far as I can follow from the articles I have read the exploit
involves replacing the apache/lighttpd/nginx binary, this should require
root privileges which indicates you have much bigger problems anyway.
As Joshua's reply stated they seem to be patching apache/lighttpd/nginx
so in theory at least cdorked could probably be complied for FreeBSD,
however as yet I haven't heard of any cases of this happening, my guess
at this time would be that the malicious binaries have only been
compiled for Linux since this has a much greater deployed base to attack.


Vince

>
> cheers,
> -pete
>
>
> --
> pete wright
> www.nycbug.org
> @nomadlogicLA
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?518CBD7F.1050006>