[opensuse] Apache backdoor malware : what about OpenSUSE ?
Hi, you must have read that a coomplex security backdoor has been found in Apache : http://www.zdnet.com/sophisticated-backdoor-malware-opens-up-security-blackh... What is the threat in OpenSUSE Apache rpms ? Dsant, from France -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, May 02, 2013 at 01:32:54PM +0200, Dsant wrote:
Hi, you must have read that a coomplex security backdoor has been found in Apache : http://www.zdnet.com/sophisticated-backdoor-malware-opens-up-security-blackh...
What is the threat in OpenSUSE Apache rpms ?
The intrusion vector is likely not apache2, the bad guys just replace the apache2 httpd binary. So there is no threat coming from the apache2 rpms. How they achieved root access is a different topic. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 02/05/13 07:38, Marcus Meissner escribió:
The intrusion vector is likely not apache2, the bad guys just replace the apache2 httpd binary.
Most likely not apache ;)
How they achieved root access is a different topic.
Apparently through proprietary Cpanel admin tool, which indeed has root privileges to modify anything on the system. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday 02 May 2013 17:54:48 Cristian Rodríguez wrote:
El 02/05/13 07:38, Marcus Meissner escribió:
The intrusion vector is likely not apache2, the bad guys just replace the apache2 httpd binary.
Most likely not apache ;)
How they achieved root access is a different topic.
Apparently through proprietary Cpanel admin tool, which indeed has root privileges to modify anything on the system.
You're right : http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-serve... So OpenSUSE is safe :) (Unless install this proprietary tool) Dsant -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dsant wrote:
On Thursday 02 May 2013 17:54:48 Cristian Rodríguez wrote:
El 02/05/13 07:38, Marcus Meissner escribió:
The intrusion vector is likely not apache2, the bad guys just replace the apache2 httpd binary. Most likely not apache ;)
How they achieved root access is a different topic. Apparently through proprietary Cpanel admin tool, which indeed has root privileges to modify anything on the system.
You're right : http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-serve...
So OpenSUSE is safe :) (Unless install this proprietary tool)
I think you're reading too much into that one article. (Apart from one blog article is not necessarily 100% accurate). They talk about a particular technique used with cPanel but they don't exclude other techniques in other circumstances. And at the end they say: "We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks." Which certainly sounds different to a route exclusively through cPanel. FWIW, I don't know anything about, use or have any other connection with cPanel. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 03/05/13 05:41, Dave Howorth escribió:
Dsant wrote:
On Thursday 02 May 2013 17:54:48 Cristian Rodríguez wrote:
El 02/05/13 07:38, Marcus Meissner escribió:
The intrusion vector is likely not apache2, the bad guys just replace the apache2 httpd binary. Most likely not apache ;)
How they achieved root access is a different topic. Apparently through proprietary Cpanel admin tool, which indeed has root privileges to modify anything on the system.
You're right : http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-serve...
So OpenSUSE is safe :) (Unless install this proprietary tool)
I think you're reading too much into that one article. (Apart from one blog article is not necessarily 100% accurate).
Correct, the press is written in a sensationalist tone in order to sell. (OMG, see the apachez cracked, end of the world!)
They talk about a particular technique used with cPanel but they don't exclude other techniques in other circumstances.
But because apache drops root privileges _before_ listening to any request (immediately after opening the logs and binding to port 80/443) It is an unlikely vector unless there is a bug in the kernel that allows privilege escalation. you will first have to exploit a web application though. And at the end they say:
"We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks."
Yeah, bruteforce is another way to get in, that's why we have been telling people for ages now that they should use public key authentication only. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El vie 03 may 2013 12:50:09 CLT, Cristian Rodríguez escribió:
El 03/05/13 05:41, Dave Howorth escribió:
Dsant wrote:
On Thursday 02 May 2013 17:54:48 Cristian Rodríguez wrote:
El 02/05/13 07:38, Marcus Meissner escribió:
The intrusion vector is likely not apache2, the bad guys just replace the apache2 httpd binary. Most likely not apache ;)
How they achieved root access is a different topic. Apparently through proprietary Cpanel admin tool, which indeed has root privileges to modify anything on the system.
You're right : http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-serve...
So OpenSUSE is safe :) (Unless install this proprietary tool)
I think you're reading too much into that one article. (Apart from one blog article is not necessarily 100% accurate).
Correct, the press is written in a sensationalist tone in order to sell. (OMG, see the apachez cracked, end of the world!)
They talk about a particular technique used with cPanel but they don't exclude other techniques in other circumstances.
For economic reasons, exploits will take the more cost effective vector (that is the easier to exploit, wider availability and can be used to cause as much damage as possible) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2013-05-03 at 13:03 -0400, Cristian Rodríguez wrote:
For economic reasons, exploits will take the more cost effective vector (that is the easier to exploit, wider availability and can be used to cause as much damage as possible)
Damage... or profits. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGFPMIACgkQtTMYHG2NR9XuSwCgj9XQMd+9WKKfHylzddoeRZid gUsAn3umM87tg5PWUe+SEGbVQNfo3F0j =o/cE -----END PGP SIGNATURE-----
El 04/05/13 12:52, Carlos E. R. escribió:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Friday, 2013-05-03 at 13:03 -0400, Cristian Rodríguez wrote:
For economic reasons, exploits will take the more cost effective vector (that is the easier to exploit, wider availability and can be used to cause as much damage as possible)
Damage... or profits.
More in the vein of profits. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, May 4, 2013 at 1:31 PM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
El 04/05/13 12:52, Carlos E. R. escribió:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Friday, 2013-05-03 at 13:03 -0400, Cristian Rodríguez wrote:
For economic reasons, exploits will take the more cost effective vector (that is the easier to exploit, wider availability and can be used to cause as much damage as possible)
Damage... or profits.
More in the vein of profits.
Past years seemed to be primarily about profits, although DOS attacks did get a lot of press attention. The last couple years have been a lot more sabotage heavy: - The attack on Iran's nuclear centrifuges (apparently by Israel / US secret services) - The attacks on US Banks (many different banks) - The attack on Saudi Aramco (iirc, 30,000 computers wiped out in one massive attack. Thought to be sponsored by the Iranians.) http://killerapps.foreignpolicy.com/posts/2013/01/16/were_last_years_cyber_a... - The Internet's largest DDOS attack against Spamhaus (This article is just a month old): http://www.cio-today.com/story.xhtml?story_title=Largest_DDoS_Attack_Ever_Is... "According to Spamhaus, the attacks at their peak were about 300 gigabits per second, compared with attacks against major banks that average in the 50 Gbps range." Overall there is an unbelievable amount of both Sabotage and IP theft going on in addition to the financial theft that many people think about. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2013-05-04 at 14:08 -0400, Greg Freemyer wrote:
"According to Spamhaus, the attacks at their peak were about 300 gigabits per second, compared with attacks against major banks that average in the 50 Gbps range."
Well, all those benefit some one and/or damages some one else. :-( - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGFscUACgkQtTMYHG2NR9UNaACgi74HKMth2LC+tkTOSNNRAJe6 RbgAnRbBpwhoEM4zakInyuLj3OoAhv2N =w++D -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Carlos E. R. -
Cristian Rodríguez -
Dave Howorth -
Dsant -
Greg Freemyer -
Marcus Meissner