<div dir="ltr">It looks like this just a backdoor that someone would install once they have already penetrated your system through some other vulnerability. The backdoor doesn't seem like it should be particularly platform specific, the shared memory APIs are cross-platform. I'm sure the author of this backdoor could easily generate binaries for any platform/web server combination that they decide is worth their time. In any case, finding this backdoor would just be a symptom that you have some vulnerability in addition to the one that the backdoor introduced.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, May 9, 2013 at 5:17 PM, Pete Wright <span dir="ltr"><<a href="mailto:pete@nomadlogic.org" target="_blank">pete@nomadlogic.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 05/09/13 16:45, Pete Wright wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hey - anyone else been able to find more reliable information on this<br>
backdoor? This is pretty much the only semi-useful information I've<br>
been able to dig up on it today:<br>
<br>
<a href="http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/" target="_blank">http://www.welivesecurity.com/<u></u>2013/05/07/linuxcdorked-<u></u>malware-lighttpd-and-nginx-<u></u>web-servers-also-affected/</a><br>
<br>
While I'm specifically interested to see is if this is an application<br>
level vuln, something to do with the linux kernel's only ,thus making my<br>
*BSD servers mostly safe, or what...<br>
<br>
</blockquote>
<br>
<br></div>
had some cycles to dig deeper - found a python script from <a href="http://eset.ie" target="_blank">eset.ie</a> that they believe will detect this code. it's pretty simple - so i'm not sure how reliable it is tbh. here's a link to a wordpress site which is hosing the python script (that's not sketchy at all is it?):<br>
<br>
<a href="http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.7z" target="_blank">http://www.welivesecurity.com/<u></u>wp-content/uploads/2013/04/<u></u>dump_cdorked_config.7z</a><br>
<br>
<br>
tl;dr version if you don't want to grab the script.<br>
<br>
- defines a key and size of a linux shared memory segment:<br>
17 SHM_SIZE = 6118512<br>
18 SHM_KEY = 63599<br>
<br>
- attempts to load librt.so via ctypes python module so it scan interact directly with systems shared memory pool:<br>
22 try:<br>
23 rt = CDLL('librt.so')<br>
24 except:<br>
25 rt = CDLL('librt.so.1')<br>
<br>
- the scanning/detection bit is a little fuzzy to me atm - although i believe it looks for a chunk of shared memory allocated at SHM_KEY of SHM_SIZE assuming the backdoor exists if this pattern is matched.<br>
<br>
dunno...still scratching my head about this whole thing....my current suspicion is that if this backdoor is dependent upon linux shared memory then the non-linux systems *should* be OK (assuming said systems are not running httpd via linux compatibility layer)?<br>
<br>
dunno - still waiting for a good analysis about this whole thing :)<br>
<br>
<br>
<br>
<br>
-p<div class="im"><br>
<br>
<br>
-- <br>
Pete Wright<br>
<a href="mailto:pete@nomadlogic.org" target="_blank">pete@nomadlogic.org</a><br>
twitter => @nomadlogicLA<br>
<br></div>
______________________________<u></u>_________________<br>
talk mailing list<br>
<a href="mailto:talk@lists.nycbug.org" target="_blank">talk@lists.nycbug.org</a><br>
<a href="http://lists.nycbug.org/mailman/listinfo/talk" target="_blank">http://lists.nycbug.org/<u></u>mailman/listinfo/talk</a><br>
</blockquote></div><br></div>