<div dir="ltr">Based on the analysis from the Malware Must Die Blog and some other things I've heard about this, it looks like the original source of compromise is most likely Plesk or CPanel. Doesn't look like there's any Apache vulnerability being exploited, so Apparmor around Apache wouldn't mitigate *this* attack.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 2, 2013 at 1:10 PM, Beddingfield, Allen <span dir="ltr"><<a href="mailto:allen@ua.edu" target="_blank">allen@ua.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I was just wondering if any of you had encountered this one/were aware of it. I don't see any references to CVE's or hard details, aside from the analysis in the third link. Maybe it is time to move putting Apparmor around Apache on our web servers higher to the top of the to-do list.<br>
<br>
<br>
<a href="http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/" target="_blank">http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/</a><br>
<br>
<a href="https://news.ycombinator.com/item?id=5479812" target="_blank">https://news.ycombinator.com/item?id=5479812</a><br>
<br>
<a href="http://malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html" target="_blank">http://malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html</a><br>
<br>
Allen B.<br>
--<br>
Allen Beddingfield<br>
Systems Engineer<br>
The University of Alabama<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div>