> Has anyone heard about this Apache exploit? Supposedly there is a mass > infection using Apache's dynamic module. > > Mass host hack bigger than first thought, hits 10,000 sites > Some hacked Apache servers reinfected even after clean-up and Linux > reinstall > http://tinyurl.com/28obnf > http://tinyurl.com/22clxe
According to the article: "Jackson's can't prove how the sites were originally hacked, but all the evidence points to the theft of log-on credentials" > Is this for real or is this merely a isolated problem blow out of > proportion to cause FUD? If this is for real, the articles did not > explain how you can detect if you were infected, or how to disable > Apache's dynamic module. > > Is there a "dynamic module" module or is it referring to any module that > is loaded by the LoadModule directive? If the later is the case than > any site hosting SSL or PHP or any number of other items would be > disabled. I am hoping the former is the case and there is some > mysterious "dynamic module" module to be disabled. Any ideas? I'm assuming they mean a DSO (Dynamic Shared Object), in that once they get on to the server, they load a DSO into Apache that adds the malicious code. The bigger question is why admins are reinstalling with the same logon credentials if they think that's how they got in to begin with. Greg /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
