Researchers have discovered a new backdoor targeting Apache on cPanel-based servers. The attackers have replaced the Apache binary with a malicious one in such a way that it makes it nearly impossible to detect.
cPanel is webserver software that is used to control the creation and management of essential domain functions via a GUI. The backend of the server is controlled by WHM, while cPanel controls basic domain functions such as email, FTP, and directory access. Unlike normal LAMP installations, with cPanel, Apache is installed without package managers.
While the backdoor itself works the same way as previously reported, the attackers have modified this latest version with techniques that make it nearly impossible to detect. In fact, the previous methods of detection won’t show anything out of the ordinary.
The malware was first detected by Sucuri, a firm dedicated to fighting Web-based threats by focusing on defensive and preventive measures, as well as awareness. They turned to ESET for additional support, which yielded the details that uncovered just how far criminals have come in their efforts to hijack the core of Apache.
“When attackers get full root access to the server, they can do anything they want. From modifying configurations, to injecting modules and replacing binaries. However, their tactics are changing to make it even harder for admins to detect their presence and recover from the compromise,” commented Sucuri’s Daniel Cid.
The latest effort, ESET says, is “one of the most sophisticated Apache backdoors we have seen so far.”
“The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.”
As mentioned, this latest variant of the Apache backdoor works like the previous ones. The goal of the attackers is to direct visitors to the Blackhole Exploit Kit, and it has an creative method of doing so. Victims are selected at random, and only selected once. Steps have also been taken by the attackers to avoid infecting or redirecting administrative users, in order to avoid detection. At the time of their first report, ESET said that hundreds of servers are impacted by this newest variant.
Sucuri’s full report is available online. Each security firm continues to explore the methods and tactics of the attackers, but the process is slow due to how the hijacked modules are avoiding detection.
In the meantime, ESET has created a tool in Python that will help administrators discover problems. Should it be needed, the output of the tool can be submitted for additional study. The Python script is available here.