Malware can be unpredictable and nasty!
Feb 18, 2015 12:07:20 GMT -6
bonhommearmonica, Doug, and 1 more like this
Post by Deleted on Feb 18, 2015 12:07:20 GMT -6
I came across this earlier while looking over general security stuff to keep up with what is new and important. The majority of the information would only be of interest to a server administrator, running an Apache web server. It talks about new ways that servers are attacked to redirect visitor traffic where it can benefit the writers in some way.
It is HOW this happens that I thought important enough to share and keep in mind.
I think it matters because I have seen people ridiculed for complaints and I've watched others deny a problem is really there...because it doesn't repeat on a perfectly predictable pattern, or even every time to see on command.
Not everything, or the worst things for that matter, always operate that way.
That is the background...and this is the zinger.
Source
Almost as if hiding were important (err...nvm..heh), it just pops it's dirty deed once a day, per unique IP that comes. So, if a major site were infected? You could spend hours on it, and it'll still just expose you one time each day, seemingly at complete random for when and how ...and impossible to repeat on command for an admin or others you'd report the problem to.
That would be enough to make someone crazy (or look like it), while finding the real issue is a real nightmare. (BTW..I ran the check suggested for my own server and it found nothing)
It is HOW this happens that I thought important enough to share and keep in mind.
I think it matters because I have seen people ridiculed for complaints and I've watched others deny a problem is really there...because it doesn't repeat on a perfectly predictable pattern, or even every time to see on command.
Not everything, or the worst things for that matter, always operate that way.
For the last few months we have been tracking server level compromises that have been utilizing malicious Apache modules (Darkleech) to inject malware into websites. Some of our previous coverage is available here and here.
However, during the last few months we started to see a change on how the injections were being done. On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one. This new backdoor is very sophisticated and we worked with our friends from ESET to provide this report on what we are seeing.
However, during the last few months we started to see a change on how the injections were being done. On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one. This new backdoor is very sophisticated and we worked with our friends from ESET to provide this report on what we are seeing.
That is the background...and this is the zinger.
The compromised binary doesn’t change anything in the site in terms of utilization or how the sites looks, however on some random requests (once per day per IP address) instead of just displaying the content, it also adds a malicious redirect. That causes the browser to load content from what seems to be random domains:
Almost as if hiding were important (err...nvm..heh), it just pops it's dirty deed once a day, per unique IP that comes. So, if a major site were infected? You could spend hours on it, and it'll still just expose you one time each day, seemingly at complete random for when and how ...and impossible to repeat on command for an admin or others you'd report the problem to.
That would be enough to make someone crazy (or look like it), while finding the real issue is a real nightmare. (BTW..I ran the check suggested for my own server and it found nothing)