Apache Authors: Elizabeth White, Pat Romanski, Liz McMillan, Christopher Harrold, Janakiram MSV

Related Topics: Apache

Apache: Blog Post

Darkleach of Apache Web Servers

Compromised Apache servers

In the recent past, the website of the LA Times was compromised. At the same time, the blog site of Seagate, a renowned hard disc manufacturer, was also compromised. A closer scrutiny revealed that Apache web server program was being used to host both sites. A module was found to be the trigger in both cases. It allowed the insertion as well as the rotation of malicious iFrames. These affected all the website pages hosted through the servers.

Apache servers logo

This particular iFrame is famed for redirecting users to other websites that host exploit kits. This will particularly target "Blackhole" hence the user's computer catches the malware.

The existence of this malicious software has been known for quite some time. In fact, the information security community has even branded it "Darkleech."The first time such an incidence took place was during the month of August last year. This discovery was made by writers belonging to the Unmask Parasites blog. Since then, the online market operating underground has been selling the module.

This malware is unlike any other. Tracing it is quite difficult consequently giving security researchers a hard time trying to locate its source or its next probable victim. Usually, the affected iFrames are created on the fly. Therefore, when an individual visits the site he activates the malware. Strangely, it is only a number of visitors who will set off the injection and not all who land on the site.

According to Dan Goodin from Ars Technica, no attacks will take place on IP addresses belonging to hosting firms or security firms. In addition, no infection will occur on sites that were recently attacked. He also noted that the malware did not affect non-modified pages. For instance, sites that were visited via a search query. This probably explains why it is difficult to trace the sites through standard searches on Google.

Another issue that worries security researchers is the difficulty in finding the root entry point. The mechanism used by the attackers to access a site as well as control it still remains a mystery. Furthermore, how the malicious software manages to infiltrate the servers without detection is also a challenge. Several assumptions have been put forth to explain this. Some believe it may be through known as well as unknown software vulnerabilities. Others believe this is carried out through password cracking, while some seem to think it occurs through social engineering attacks.

Mary Landesman, one of the senior security researchers at Cisco System analyzed a number of websites that had been compromised. In her study of the 1239 websites that were attacked within six weeks in the beginning of the year, she noted that all sites were hosted on servers operating using Apache 2.2.22 version or higher. In addition, they also occurred on different distributions of Linux.

She also discovered a total of 2000 infected web host servers. Considering that one host server cater for about 10 websites, this simply means that approximately 20,000 sites and respective web pages had been compromised.

It is difficult to remove the offending module. The most feasible solution is completely shutting down the site, cleaning it, and then restoring it through a backup. However, there is still a possibility of a backdoor being left behind hence possibility of it affecting website hosting in Australia like Ezi Hosting or any other region.

More Stories By Anne Lee

Anne Lee is a freelance technology journalist, a wife and a mother of two.

IoT & Smart Cities Stories
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
DXWorldEXPO LLC, the producer of the world's most influential technology conferences and trade shows has announced the 22nd International CloudEXPO | DXWorldEXPO "Early Bird Registration" is now open. Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science" is responsible for guiding the technology strategy within Hitachi Vantara for IoT and Analytics. Bill brings a balanced business-technology approach that focuses on business outcomes to drive data, analytics and technology decisions that underpin an organization's digital transformation strategy.
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform and how we integrate our thinking to solve complicated problems. In his session at 19th Cloud Expo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and sh...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.