<div dir="ltr"><div>from the malware must die <br><br><pre>The malware was found in web server systems with below characteristic:
<div><div id="highlighter_758749" class=""><div class=""><span><a href="http://malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html#" class="">?</a></span></div><table border="0" cellpadding="0" cellspacing="0">
<tbody><tr><td class=""><div class="">1</div><div class="">2</div><div class="">3</div></td><td class=""><div class=""><div class=""><code class="">Linux RedHat-base distribution without SE Linux properly set</code></div>
<div class=""><code class="">Apache httpd web server 2.x (rpm-base, as per it is)</code></div><div class=""><code class="">Cgi-base web admin panel and/or Wordpress system's served<br></code></div></div></td></tr></tbody></table>
</div></div></pre>I'm assuming then that ALL 3 must be present for this process to occur.<br><br>from much further down:<br>"It looks like the attackers were beforehand well-prepared with some
penetration method to gain web exploitation which were used to gain
shell access and did the privilege escalation unto root. (I am not
allowed to expose this detail further at this moment)."</div><div><br>So run your web server with selinux in enforcing mode. It stops crap like this. Apparmor works similarly but not as fine-grained.<br></div></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 2, 2013 at 4:23 PM, David Tomaschik <span dir="ltr"><<a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Based on the analysis from the Malware Must Die Blog and some other things I've heard about this, it looks like the original source of compromise is most likely Plesk or CPanel. Doesn't look like there's any Apache vulnerability being exploited, so Apparmor around Apache wouldn't mitigate *this* attack.</div>
<div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Tue, Apr 2, 2013 at 1:10 PM, Beddingfield, Allen <span dir="ltr"><<a href="mailto:allen@ua.edu" target="_blank">allen@ua.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I was just wondering if any of you had encountered this one/were aware of it. I don't see any references to CVE's or hard details, aside from the analysis in the third link. Maybe it is time to move putting Apparmor around Apache on our web servers higher to the top of the to-do list.<br>
<br>
<br>
<a href="http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/" target="_blank">http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/</a><br>
<br>
<a href="https://news.ycombinator.com/item?id=5479812" target="_blank">https://news.ycombinator.com/item?id=5479812</a><br>
<br>
<a href="http://malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html" target="_blank">http://malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html</a><br>
<br>
Allen B.<br>
--<br>
Allen Beddingfield<br>
Systems Engineer<br>
The University of Alabama<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br>
<a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</font></span></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://electjimkinney.org" target="_blank">http://electjimkinney.org</a><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
</i></i></i></i>
</div>