Linux/Cdorked: A Nasty New Apache Hack

A couple of days ago I received this email from Miriam at SolasDesign and my first thought was: what rich Google irony:

ugly_strange_men_07

Hey Mike,

I was doing a search in Google today for ‘google+ local error 500′ and one of the results Google returned was this page of your site: Google + Page ‘500 error bug’ work around.

Bizarrely, when I clicked on the link, I was redirected to a page of pornography at http://youdon’treallywanttoseeit.com. I immediately hit the back button.

Even stranger, when I re-clicked the link in the SERPs, I was taken to your page correctly. I am not terribly educated on the awful topic of hacking, and I’ve never encountered any information about something that could intermittently do malicious re-directs, but I wanted to let you know about this ASAP. I haven’t ever seen something like this happen before, but hopefully, your team can figure out if your site has been compromised in some way. So sorry about this. It’s awful.

Miriam

My immediate second thought was that my down home farmland wp theme that Mike Ramsey loves so much had been hacked. When Linda Buquet and Brandon Monchamp contacted me with similar stories I was convinced of it. However none of the external malware test tools from Google or Sucuri could find anything.

I contacted Sucuri (who does a great job of site security by the way) and learned that the reality was worse. The cPanel server hosting my site had fallen victim to a new Apache kernel hack: Linux/Cdorked:

In fact, Linux/Cdorked.A is one of the most sophisticated Apache backdoors we have seen so far. Although we are still processing the data, our Livegrid system reports hundreds of compromised servers. The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.

The only tell tale signs were the external reports of redirects to porn sites on Google searches. The symptoms that Miriam described are in fact diagnostic which is my reason for sharing them here. Forewarned is forearmed. Apparently this hack “exploits the fact that cPanel doesn’t use a packaging system to install Apache”.

Hopefully you will not suffer the same fate and if you do you will know what it was quicker than I. The servers were taken down last night for the patch and cleansed. Thanks to all that alerted me to issues.

Please consider leaving a comment as your input will help me (& everyone else) better understand and learn about local.
Linux/Cdorked: A Nasty New Apache Hack by

13 thoughts on “Linux/Cdorked: A Nasty New Apache Hack”

  1. Mike – I had the same issue yesterday when clicking through to your site from Google Reader. I had opened a bunch of tabs on different sites through Reader and didn’t notice it until I went to read through them. At the time, I wasn’t positive that it was your site that did it, but now I’m sure that it was.

  2. The redirect I told you about was from Reader as Eric experienced. Turns out it was the same porn site Miriam got from Google search. Then when I thought maybe it was something on my end and clicked the link again it was fine – just like with Miriam

    I had a similar exploit at my other site about a year ago. They use cookies or something so the exploit will only launch on the 1st click. For me the redirect was limited to 1 click in 24 hours. So if you got the redirect and then tried to reproduce the problem to take a screen shot for your host, or make note of the URL or whatever, it would not redirect again. So that makes it harder to track down and makes you think, maybe it was just a fluke that one time, or maybe a bug in Google or whatever, because you can’t make it happen again. Dang hackers!

  3. Same thing happend to Eric – happened to me yesterday when clicking from a My Yahoo feed to Mike’s site…then when I clicked the link again it came up fine…which led me to beleive it wasn’t Mike’s site and another of the 18 tabs I had open.

    Thank you for the heads up Mike, much obliged.

    Insidious little buggers

  4. Mike
    I wanted to let you know this happened to me today. It didn’t appear to be a porn site and i’m pretty sure it was a link I clicked on Linda’s site this morning. I thought it was odd but I just typed in your url and came over.

    Thought you’d like to know.

  5. Chris do you remember what link on my site?

    I want to check it, because the injection Mike had I thought was cleaned up and I assume is only triggered via Google search or Reader. Want to be sure I don’t have something happening on my end.

  6. @Linda

    Yes, it was this one

    Places Link Removed From Google More Menu | Understanding Google Places & Local Search

    in your post at 2:32Pm on 4/30/2013

    I just tried it again and it was fine

  7. Hi Mike

    Problem is still there. May 6th 21 .15 gmt.
    Clicked on index page from google SERPS
    Porn site came up once but couldn’t replicate again.

    Good luck

    Colin

  8. Mike,

    Happy to assist, my IT guy mentioned to me that this exploit has now spread to lightspeed and nginx now. Seems to be a pretty sofiscitacted exploit which isn’t getting much attention.

    I saw another expliot which only redirects mobile traffic making detection even difficult.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments links could be nofollow free.