This article is more than 1 year old
Apache attack drives traffic to malware
Blackhole redirect served by modified daemon binary
A security researcher is warning that an attack on the Apache Web server is increasingly showing up in the wild, and has published a free Python tool to check their configurations.
The attack is designed to avoid leaving disk footprints, according to this post analysing the backdoor. It exists as a modified httpd file that redirects HTTP requests to the well-known Blackhole exploit pack.
Redirected victims hitting the compromised server are remembered so they aren't redirected a second time. The redirection looks like the original URL, with a base64 encoded string added, used by the backdoor to record parameters describing the redirected client to ensure the right payload is delivered (for example, identifying if it had originally requested a Javascript file).
Apart from the modified httpd file, everything associated with the exploit exists only in 6 MB of shared memory, with configuration pushed through obfuscated HTTP requests to evade logging.
The analysis has identified 23 commands in the binary, all of them two-character hex bytes (DU, ST, T1 and so on). Thos commands are invoked by a POST command to a crafted URL including “SECID=” as a cookie header. As the author of the post, Pierre-Marc Bureau notes, “we believe the URLs to redirect clients are sent to the backdoor using this method. The redirection information will be stored encrypted in the allocated shared memory region.”
Other capabilities of the commands include:
- Setting redirection conditions;
- Whitelisting user agents; and
- Blacklisting IP addresses to avoid detection.
Because the attack sets loose permissions on the shared directory, other processors can access it. This tool, dump_dcorked_config.py, verifies the presence of the shared memory region and dumps its contents into a file for analysis. ®