[nycbug-talk] Cdorked.A Backdoor

Bob Ippolito bob at redivi.com
Thu May 9 20:45:41 EDT 2013 

It looks like this just a backdoor that someone would install once they
have already penetrated your system through some other vulnerability. The
backdoor doesn't seem like it should be particularly platform specific, the
shared memory APIs are cross-platform. I'm sure the author of this backdoor
could easily generate binaries for any platform/web server combination that
they decide is worth their time. In any case, finding this backdoor would
just be a symptom that you have some vulnerability in addition to the one
that the backdoor introduced.


On Thu, May 9, 2013 at 5:17 PM, Pete Wright <pete at nomadlogic.org> wrote:

> On 05/09/13 16:45, Pete Wright wrote:
>
>> Hey - anyone else been able to find more reliable information on this
>> backdoor?  This is pretty much the only semi-useful information I've
>> been able to dig up on it today:
>>
>> http://www.welivesecurity.com/**2013/05/07/linuxcdorked-**
>> malware-lighttpd-and-nginx-**web-servers-also-affected/<http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/>
>>
>> While I'm specifically interested to see is if this is an application
>> level vuln, something to do with the linux kernel's only ,thus making my
>> *BSD servers mostly safe, or what...
>>
>>
>
> had some cycles to dig deeper - found a python script from eset.ie that
> they believe will detect this code.  it's pretty simple - so i'm not sure
> how reliable it is tbh.  here's a link to a wordpress site which is hosing
> the python script (that's not sketchy at all is it?):
>
> http://www.welivesecurity.com/**wp-content/uploads/2013/04/**
> dump_cdorked_config.7z<http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.7z>
>
>
> tl;dr version if you don't want to grab the script.
>
> - defines a key and size of a linux shared memory segment:
>  17 SHM_SIZE = 6118512
>  18 SHM_KEY = 63599
>
> - attempts to load librt.so via ctypes python module so it scan interact
> directly with systems shared memory pool:
>  22 try:
>  23   rt = CDLL('librt.so')
>  24 except:
>  25   rt = CDLL('librt.so.1')
>
> - the scanning/detection bit is a little fuzzy to me atm - although i
> believe it looks for a chunk of shared memory allocated at SHM_KEY of
> SHM_SIZE assuming the backdoor exists if this pattern is matched.
>
> dunno...still scratching my head about this whole thing....my current
> suspicion is that if this backdoor is dependent upon linux shared memory
> then the non-linux systems *should* be OK (assuming said systems are not
> running httpd via linux compatibility layer)?
>
> dunno - still waiting for a good analysis about this whole thing :)
>
>
>
>
> -p
>
>
>
> --
> Pete Wright
> pete at nomadlogic.org
> twitter => @nomadlogicLA
>
> ______________________________**_________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/**mailman/listinfo/talk<http://lists.nycbug.org/mailman/listinfo/talk>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20130509/7494bd59/attachment.html>

More information about the talk mailing list