Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Ongoing malware attack targeting Apache hijacks 20,000 sites
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Ongoing malware attack targeting Apache hijacks 20,000 sites

smile93smile93 Member
edited April 2013 in General

Anybody encounter or aware of this attack. There is no report at CVE or ...

"Tens of thousands of websites, some operated by The Los Angeles Times, Seagate, and other reputable companies, have recently come under the spell of "Darkleech," a mysterious exploitation toolkit that exposes visitors to potent malware attacks."

".... found all were running Apache version 2.2.22 or higher, mostly on a variety of Linux distributions. ..."

Details here:
http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/

«1

Comments

  • JacobJacob Member

    Nun ginx faw w!n, it's so fresh it's doper than fresh.

  • MaouniqueMaounique Host Rep, Veteran

    How I love this attitude...
    Macs are not hackable, nginx is perfect...
    Well, nobody would bother to hack 15% of the market unless they have no choice and the 85% is bullet proof.
    It is 4 times more profitable to hack apache and it has more features, hence, bigger surface for attacks.

  • @Maounique said: Macs are not hackable,

    Macs are hackable

  • netomxnetomx Moderator, Veteran

    Nice article... I'm afraid now :(

  • @curtisg said:

    Macs are hackable

    Some people need to buy a new sarcasm detector.

  • Well, Apache this week, last week it was Bind9 DNS default based DDoS. See a pattern?

    Yeah both are popular, but more concerning, both tend to be rolled out for everything included default empty VPS nodes from many providers.

  • @pubcrawler said: Yeah both are popular, but more concerning, both tend to be rolled out for everything included default empty VPS nodes from many providers.

    You know what this means?

    Time to destroy all computers. Beat them with sporks!

  • rm -rf ALL teh OpenVZ templates!

  • natestammnatestamm Member
    edited April 2013

    @Maounique said: Macs are not hackable

    In the past this statement held more weight, now nope. @DestroyeRCo Lol. Nuts I need one too! /Googles Sarcasm detector.

  • joepie91joepie91 Member, Patron Provider

    @natestamm said: In the past this statement held more weight, now nope.

    No, not really. It has always been complete bullshit, it just took a while for malware writers to prove it.

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2013

    I've noticed an increase in apache landing pages on IPs that get in my filter. Hadn't thought much of it as a single detail, but perhaps this is the relevance.

    Lol @ the Mac bait, good job ;)

  • @Maounique said: Well, nobody would bother to hack 15% of the market unless they have no choice and the 85% is bullet proof.

    Sorry, I should of provided a more detailed response. But what you said is exactly one of the reasons why I prefer Nginx. Smaller market share, less people interested in attacking it. A stock install of Nginx vs a stock install of Apache, I prefer Nginx.

    Of course Apache is great as well, but different strokes for different folks. =]

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2013

    @MannDude Exactly. I like how people imply "You're stupid, your chances are only better with X because of Y." That's brilliant. So my chances are only better with the lower market share option because it holds a lower market share and that's why it's not better. So lower chance is not better than higher chance. Perfect logic.

    If nginx lowers your statistical chance of being targeted and does the job equally well, it's better by default. Pointing out that it could change tomorrow doesn't change today. Don't get me wrong I use apache too. Everything has it's place.

  • MaouniqueMaounique Host Rep, Veteran

    TBH, I started last week cleaning the ovz templates.
    Removed SMB from most, bind9, smtp.
    I will do a new round soon removing bind from all, as well as apache.
    Will also redo hostinabox with updates and non-recursive resolver.
    Uncle promised will finish promos after the probable Q1 listing.

  • JTRJTR Member

    @joepie91 said: No, not really. It has always been complete bullshit, it just took a while for malware writers to prove it.

    Look at the amount of exploits for Windows, then look at the amount for OSX. Then go look at that trend over time. OSX's malware has grown far slower than its market share. Despite everyone predicting that "the Mac malware apocalypse is right around the corner" for over a decade, the apocalypse never appeared. It's obviously not immune to malware, but the amount of malware for OSX is extremely low.

  • HalfEatenPieHalfEatenPie Veteran
    edited April 2013

    @JTR said: Look at the amount of exploits for Windows, then look at the amount for OSX. Then go look at that trend over time. OSX's malware has grown far slower than its market share. Despite everyone predicting that "the Mac malware apocalypse is right around the corner" for over a decade, the apocalypse never appeared. It's obviously not immune to malware, but the amount of malware for OSX is extremely low.

    What are these Statistics you're citing?

  • MaouniqueMaounique Host Rep, Veteran

    @jarland said: If nginx lowers your statistical chance of being targeted and does the job equally well, it's better by default.

    Yes, but who keeps tabs about nginx vulnerabilities ? Apache has been around for longer and it is probably cleaner than nginx, regarding vulnerabilities.
    Once an exploit is out, it will be noticed fast and everyone will know since big corporations use it.
    It can be looked at from various angles, there is no clear-cut, when you depend on luck, 1% chance of getting hacked with nginx vs 2 % with apache, I would go with apache because the exploit will be faster noticed and patched. In my book, 1% will happen, Murphy loves me.

  • ATHKATHK Member

    @Maounique said: I will do a new round soon removing bind from all, as well as apache.

    Will also redo hostinabox

    I never understood why providers have things like Apache installed already from the template .. I am purchasing a VPS so therefore as a client I should have some sort of knownledge on how to install and configure Apache atleast...

  • jarjar Patron Provider, Top Host, Veteran

    @Maounique Doesn't matter what web server you use, your security should never be solely dependent on it. Just simple if you're rolling out numbers on the table and you've got two tools that do the same thing and one has a higher statistical chance of failing for any reason whatsoever, you've got an answer to a clear question. Tomorrow holds what tomorrow holds, always be on your toes.

  • joepie91joepie91 Member, Patron Provider

    @JTR said: Look at the amount of exploits for Windows, then look at the amount for OSX. Then go look at that trend over time. OSX's malware has grown far slower than its market share. Despite everyone predicting that "the Mac malware apocalypse is right around the corner" for over a decade, the apocalypse never appeared. It's obviously not immune to malware, but the amount of malware for OSX is extremely low.

    I'm pretty sure the argument was that "a Mac is unhackable", which stops being the case as soon as even one exploit is found.

    Which is more secure, is an entirely different discussion.

  • @ATHK said: I never understood why providers have things like Apache installed already from the template .. I am purchasing a VPS so therefore as a client I should have some sort of knownledge on how to install and configure Apache atleast...

    Its what's standard in the template obtained from OpenVZ.com. Now I'd personally say that provider should have a minimal template available to their clients for this exact reason.

  • MaouniqueMaounique Host Rep, Veteran

    @ATHK said: I am purchasing a VPS so therefore as a client I should have some sort of knownledge on how to install and configure Apache atleast...

    Well, we didnt do them. They were like this from the beginning and I think customers expect them to be that way.
    However, what is enough, is enough. Bind and now apache, at least i can be sure they get the current version, dont use the one in template so I have to update it every week or so.

  • JanevskiJanevski Member
    edited April 2013

    @Maounique said: @MannDude said: <3 Nginx

    How I love this attitude...

    Macs are not hackable, nginx is perfect...
    Well, nobody would bother to hack 15% of the market unless they have no choice and the 85% is bullet proof.
    It is 4 times more profitable to hack apache and it has more features, hence, bigger surface for attacks.

    |

    @MannDude said: @Maounique said: Well, nobody would bother to hack 15% of the market unless they have no choice and the 85% is bullet proof.

    Sorry, I should of provided a more detailed response. But what you said is exactly one of the reasons why I prefer Nginx. Smaller market share, less people interested in attacking it. A stock install of Nginx vs a stock install of Apache, I prefer Nginx.

    Of course Apache is great as well, but different strokes for different folks. =]

    According to me both Your opinions are valid.

    @pubcrawler said: Well, Apache this week, last week it was Bind9 DNS default based DDoS. See a pattern?

    Yeah both are popular, but more concerning, both tend to be rolled out for everything included default empty VPS nodes from many providers.

    This too.

  • ATHKATHK Member

    @Maounique wasn't directing that at you solely.

    If it's to much admin to remove them each time an update is released then that's fair enough I've never looked into the templates before so I don't know.

  • MaouniqueMaounique Host Rep, Veteran

    No, it is not a lot of work, besides, after the template was done once, you only need to update it from time to time.
    I can do all in a few hours, it is not the most pleasant work, tho :)

  • Seems to be associated with an already developed apache module, they exploit wordpress or other CMS vuln, and use the LoadModule function to deploy it. So disabling that function will block the attackers from installing it.

  • I'm guessing it's hosts that either have the ability for the customer to have a personal httpd.conf file in addition to the main one.

  • @pubcrawler said: both tend to be rolled out for everything included default empty VPS nodes from many providers.

    This, and how I HATE IT so much.
    I need to clean that crap again and again u_u

  • ztecztec Member

    @JTR said: Look at the amount of exploits for Windows, then look at the amount for OSX. Then go look at that trend over time. OSX's malware has grown far slower than its market share. Despite everyone predicting that "the Mac malware apocalypse is right around the corner" for over a decade, the apocalypse never appeared. It's obviously not immune to malware, but the amount of malware for OSX is extremely low.

    I think the malware to software available ratio is probably lower with Windows.

Sign In or Register to comment.