Nasty New Apache Attack
A sophisticated Apache attack has appeared in the wild, according to reports, and has already infected hundreds of machines. The attack, known as Linux/Cdorked.A, redirects users to malicious sites, including sites that expose the user to the infamous Black Hole exploit pack. The attack does not leave any traces on the disk but, instead, saves its state and configuration in share memory, making it very difficult to identify. The target for the attack appears to be Apache servers with the cPanel hosting control tool installed.
Analysis by security experts at Sucuri and ESET reveal that the attack disguises suspicious strings in the backdoor with an XOR operation. The backdoor is opened through a special HTTP GET request that has been modified so that it normally does not appear in the Apache logs.
As of now, the recommended method for uncovering evidence of the attack is a search of shared memory. ESET's We Live Security blog describes the attack and provides a tool called dump_cdorked_config that checks the shared memory segment in which the backdoor stores its data.