Date: Fri, 10 May 2013 10:27:27 +0100 From: Vincent Hoffman <vince@unsane.co.uk> To: pete wright <nomadlogic@gmail.com> Cc: Joshua Isom <jrisom@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Cdorked.A Message-ID: <518CBD7F.1050006@unsane.co.uk> In-Reply-To: <CAGBmCT5w9y5MzFYybyTGfLADQKabrM3wtsNrdmA4sAzGC8Ffyg@mail.gmail.com> References: <518BDABF.7010401@intersonic.se> <518C1A84.20507@gmail.com> <CAGBmCT5w9y5MzFYybyTGfLADQKabrM3wtsNrdmA4sAzGC8Ffyg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/05/2013 23:12, pete wright wrote: > On Thu, May 9, 2013 at 2:52 PM, Joshua Isom <jrisom@gmail.com> wrote: >> On 5/9/2013 12:19 PM, Per olof Ljungmark wrote: >>> Hi, >>> >>> Is Apache on FreeBSD affected? >>> >>> Thanks, >> >> Technically, Apache isn't the problem. The hole's in cPanel probably, not >> Apache. The attackers replace Apache, probably patching the source code and >> replacing the host's with a trojaned copy. If they're patching the source >> code, then yes, FreeBSD, Windows, OS X, Solaris, OpenBSD, et al are possibly >> infected. >> > I am not sure that is the case from the research I have been doing on > this topic. For example there are reports of it being detected on > lighttpd, nginx and systems that do not use cpanel: > > > http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ > > > If anyone has a better rundown of this it would be great if you could > point me in the right direction. I am having problems finding a > proper examination/explanation of this backdoor. As far as I can follow from the articles I have read the exploit involves replacing the apache/lighttpd/nginx binary, this should require root privileges which indicates you have much bigger problems anyway. As Joshua's reply stated they seem to be patching apache/lighttpd/nginx so in theory at least cdorked could probably be complied for FreeBSD, however as yet I haven't heard of any cases of this happening, my guess at this time would be that the malicious binaries have only been compiled for Linux since this has a much greater deployed base to attack. Vince > > cheers, > -pete > > > -- > pete wright > www.nycbug.org > @nomadlogicLA > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?518CBD7F.1050006>