From owner-freebsd-questions@FreeBSD.ORG Thu May 9 22:13:01 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6562C4CB for ; Thu, 9 May 2013 22:13:01 +0000 (UTC) (envelope-from nomadlogic@gmail.com) Received: from mail-pd0-f174.google.com (mail-pd0-f174.google.com [209.85.192.174]) by mx1.freebsd.org (Postfix) with ESMTP id 471C76A4 for ; Thu, 9 May 2013 22:13:01 +0000 (UTC) Received: by mail-pd0-f174.google.com with SMTP id u10so2315611pdi.33 for ; Thu, 09 May 2013 15:12:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=ZeP3e8gP6+nHwmrwG9K3dk5OLJhnwvfQkgRZ9ywBDHo=; b=Gko7LjlwV28mDZT3BzTEypXmt5Wms0hHg7S42TTPwIu8UncODLRyWtGxq3iD2kP1az AGAr4rE9zCrJbzFdg6Zd6AzRA6Rl7g0JdHtrVr8BAWlKprX1tlBwbI4Ym277DP4ixueG rXeBwnPG2LynJaJTU5joEhaefQen6uZfZuCoxVOKE0nOnIaf5h42b4ok7VcwJEMZCBEd XONDVcnd0jtmD29Ohnk4DUkVED7/CNpTau0iaY7uEgdeU9iNiy4Fyv5MZDWhCWYXJX1F k36k8+GeBX6fk8r24Dv1dvsvuMWVlH8NAKFLd7HhxIbD6ovzqdgDxWs3CYpYjB1P0bhs 7g3g== MIME-Version: 1.0 X-Received: by 10.66.251.39 with SMTP id zh7mr15001099pac.62.1368137574935; Thu, 09 May 2013 15:12:54 -0700 (PDT) Received: by 10.66.157.163 with HTTP; Thu, 9 May 2013 15:12:54 -0700 (PDT) In-Reply-To: <518C1A84.20507@gmail.com> References: <518BDABF.7010401@intersonic.se> <518C1A84.20507@gmail.com> Date: Thu, 9 May 2013 15:12:54 -0700 Message-ID: Subject: Re: Cdorked.A From: pete wright To: Joshua Isom Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 22:13:01 -0000 On Thu, May 9, 2013 at 2:52 PM, Joshua Isom wrote: > On 5/9/2013 12:19 PM, Per olof Ljungmark wrote: >> >> Hi, >> >> Is Apache on FreeBSD affected? >> >> Thanks, > > > Technically, Apache isn't the problem. The hole's in cPanel probably, not > Apache. The attackers replace Apache, probably patching the source code and > replacing the host's with a trojaned copy. If they're patching the source > code, then yes, FreeBSD, Windows, OS X, Solaris, OpenBSD, et al are possibly > infected. > I am not sure that is the case from the research I have been doing on this topic. For example there are reports of it being detected on lighttpd, nginx and systems that do not use cpanel: http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ If anyone has a better rundown of this it would be great if you could point me in the right direction. I am having problems finding a proper examination/explanation of this backdoor. cheers, -pete -- pete wright www.nycbug.org @nomadlogicLA