Related Topics: Apache Web Server Journal

Blog Post

Darkleach of Apache Web Servers

Compromised Apache servers

In the recent past, the website of the LA Times was compromised. At the same time, the blog site of Seagate, a renowned hard disc manufacturer, was also compromised. A closer scrutiny revealed that Apache web server program was being used to host both sites. A module was found to be the trigger in both cases. It allowed the insertion as well as the rotation of malicious iFrames. These affected all the website pages hosted through the servers.

Apache servers logo

This particular iFrame is famed for redirecting users to other websites that host exploit kits. This will particularly target "Blackhole" hence the user's computer catches the malware.

The existence of this malicious software has been known for quite some time. In fact, the information security community has even branded it "Darkleech."The first time such an incidence took place was during the month of August last year. This discovery was made by writers belonging to the Unmask Parasites blog. Since then, the online market operating underground has been selling the module.

This malware is unlike any other. Tracing it is quite difficult consequently giving security researchers a hard time trying to locate its source or its next probable victim. Usually, the affected iFrames are created on the fly. Therefore, when an individual visits the site he activates the malware. Strangely, it is only a number of visitors who will set off the injection and not all who land on the site.

According to Dan Goodin from Ars Technica, no attacks will take place on IP addresses belonging to hosting firms or security firms. In addition, no infection will occur on sites that were recently attacked. He also noted that the malware did not affect non-modified pages. For instance, sites that were visited via a search query. This probably explains why it is difficult to trace the sites through standard searches on Google.

Another issue that worries security researchers is the difficulty in finding the root entry point. The mechanism used by the attackers to access a site as well as control it still remains a mystery. Furthermore, how the malicious software manages to infiltrate the servers without detection is also a challenge. Several assumptions have been put forth to explain this. Some believe it may be through known as well as unknown software vulnerabilities. Others believe this is carried out through password cracking, while some seem to think it occurs through social engineering attacks.

Mary Landesman, one of the senior security researchers at Cisco System analyzed a number of websites that had been compromised. In her study of the 1239 websites that were attacked within six weeks in the beginning of the year, she noted that all sites were hosted on servers operating using Apache 2.2.22 version or higher. In addition, they also occurred on different distributions of Linux.

She also discovered a total of 2000 infected web host servers. Considering that one host server cater for about 10 websites, this simply means that approximately 20,000 sites and respective web pages had been compromised.

It is difficult to remove the offending module. The most feasible solution is completely shutting down the site, cleaning it, and then restoring it through a backup. However, there is still a possibility of a backdoor being left behind hence possibility of it affecting website hosting in Australia like Ezi Hosting or any other region.

More Stories By Anne Lee

Anne Lee is a freelance technology journalist, a wife and a mother of two.