Re: Cdorked.A
On 09/05/2013 23:12, pete wright wrote: On Thu, May 9, 2013 at 2:52 PM, Joshua Isom jri...@gmail.com wrote: On 5/9/2013 12:19 PM, Per olof Ljungmark wrote: Hi, Is Apache on FreeBSD affected? Thanks, Technically, Apache isn't the problem. The hole's in cPanel probably, not Apache. The attackers replace Apache, probably patching the source code and replacing the host's with a trojaned copy. If they're patching the source code, then yes, FreeBSD, Windows, OS X, Solaris, OpenBSD, et al are possibly infected. I am not sure that is the case from the research I have been doing on this topic. For example there are reports of it being detected on lighttpd, nginx and systems that do not use cpanel: http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ If anyone has a better rundown of this it would be great if you could point me in the right direction. I am having problems finding a proper examination/explanation of this backdoor. As far as I can follow from the articles I have read the exploit involves replacing the apache/lighttpd/nginx binary, this should require root privileges which indicates you have much bigger problems anyway. As Joshua's reply stated they seem to be patching apache/lighttpd/nginx so in theory at least cdorked could probably be complied for FreeBSD, however as yet I haven't heard of any cases of this happening, my guess at this time would be that the malicious binaries have only been compiled for Linux since this has a much greater deployed base to attack. Vince cheers, -pete -- pete wright www.nycbug.org @nomadlogicLA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Cdorked.A
Hi, Is Apache on FreeBSD affected? Thanks, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Cdorked.A
On 5/9/2013 12:19 PM, Per olof Ljungmark wrote: Hi, Is Apache on FreeBSD affected? Thanks, Technically, Apache isn't the problem. The hole's in cPanel probably, not Apache. The attackers replace Apache, probably patching the source code and replacing the host's with a trojaned copy. If they're patching the source code, then yes, FreeBSD, Windows, OS X, Solaris, OpenBSD, et al are possibly infected. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Cdorked.A
On Thu, May 9, 2013 at 2:52 PM, Joshua Isom jri...@gmail.com wrote: On 5/9/2013 12:19 PM, Per olof Ljungmark wrote: Hi, Is Apache on FreeBSD affected? Thanks, Technically, Apache isn't the problem. The hole's in cPanel probably, not Apache. The attackers replace Apache, probably patching the source code and replacing the host's with a trojaned copy. If they're patching the source code, then yes, FreeBSD, Windows, OS X, Solaris, OpenBSD, et al are possibly infected. I am not sure that is the case from the research I have been doing on this topic. For example there are reports of it being detected on lighttpd, nginx and systems that do not use cpanel: http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ If anyone has a better rundown of this it would be great if you could point me in the right direction. I am having problems finding a proper examination/explanation of this backdoor. cheers, -pete -- pete wright www.nycbug.org @nomadlogicLA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org