Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
Latest Comments
"xcbvxc"
on Shavlik NetChk Protect
by sarfsda | Nov 24, 2008 4:41 AM
 
"it's good one "
on SanDisk taps McAfee for USB drive security
by khanbhai | Nov 22, 2008 9:00 PM
 
"when i login to face book it tells me i am cookies enabled what does this mean"
on Ads on Facebook serving up adware
by celeste | Nov 21, 2008 5:15 PM
 
"Hi this is the mail I received Brett Karpman show details Nov 17 (3 days ago) Reply Atten..."
on Yahoo and Microsoft take aim at lottery scams
by Rodney Churchyard | Nov 20, 2008 6:13 PM
 
"security through obscurity...shows how detached HIPAA is from reality."
on Privacy breaches causing business instability
by priceOfFishInChina | Nov 20, 2008 1:19 PM
Application Flaws

Mass attack on Apache servers running Linux can be stopped by disabling server's dynamic loading: SecureWorks

  • Email a Friend
  • Print Page
Related Articles
By Jim Carr
Jan 25, 2008 9:47 AM
Tags: "linux" | "linux | security" | "mass | attack | linux" | "apache | server" | "apache | server | security"
The attack, originally thought to have impacted several hundred websites, actually has infected about 10,000 websites, including some in the United States but mostly in the United Kingdom.

The compromised websites, mostly hobby and travel sites without security administrators to keep them updated, can infect their visitors with malicious JavaScript code that can steal a variety of personal information, including bank user names and passwords, Social Security and credit card numbers and online payment accounts, according to SecureWorks.

The malicious JavaScript takes advantage of flaws in QuickTime and a host of other applications and services, including SuperBuddy and Yahoo Messenger's GetFile, SecureWorks researchers said.

According to the Atlanta-based managed security service provider, the exploits install a copy of Rbot and other malware on Apache servers. These are typically large files in the 144 KB to 433 KB range, and are "packed" in a way that avoids alerts for suspicious use of packets, tools that compress and scramble code in executable files.

SecureWorks says that organizations can protect against this attack by disabling dynamic loading in their Apache module configurations. The manner in which the perpetrators have injected their code into Apache servers is "very clever," Jon Ramsey, SecureWorks chief technology officer, told SCMagazineUS.com.

"[The code-injection process] changes the behavior of the Apache server to deliver malware content," he said.

Visitors to infected websites can avoid infection by ensuring their anti-virus signatures are up to date and that they have patched all vulnerable software. The attack does not take advantage of any unknown or zero-day vulnerabilities, SecureWorks added.

SecureWorks has yet to pinpoint exactly who the attackers are, Ramsey said.

"The attacks do not match any typical attack patterns from any of the well-known Russian or Chinese groups," SecureWorks said in a prepared statement. "Some signs [indicate it is] Western European or even North American in origin."

"We have some interesting clues about where the group or person may be from, but no definitive information," Ramsey said.

See original article on scmagazineus.com

Secure Computing Magazine

 
Ads by Google
Thoughts on this article? Add a comment below.
Be the first to comment on this article.

Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
Tripwire - Click here to win an iTouch
 
 
 
Vulnerabilities & Exploits Whitepapers
 
Popular Tags
attack blink client control fail firms information major microsoft panda pdf report security server service software sophos test thycotic updates