Disclaimer: This malware sample is not in any way related to Hacking Team (as far as I know) other than me making some jokes about them related to a future presentation about their OS X malware product.
Two months ago (maybe three) I started noticing a sporadic redirect when I accessed this blog pages. It wasn’t anything malicious as far as I could evaluate; just a redirect to adult friend finder site. A friend did some initial research on the site pages and content and could not find anything relevant there, other than a very old Zen encoded backdoor (LOL!). I also poked around the database contents and it appeared clean. Having read about some recent Linux rootkits injecting iframes and that kind of stuff I was convinced the shared server had been hacked. Other tasks were calling for my attention and so this matter got sidetracked.
Last week some readers started complaining about the redirects and it was finally time to find out what was really happening. I asked my great hosting friends at HighSpeedWeb to give me r00t and find the problem. My instinct was right and I found out a new variant of Linux/CDorked.A that made headlines beginning of 2013. Unfortunately I have no idea how the breach started but I bet in a local root exploit (server was running KSplice). Shared servers are a pain to manage with all kinds of vulnerable scripts being installed.
For some background on Linux/CDorked.A you should have a look at the following articles:
- Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole
- ESET and Sucuri Uncover Linux/Cdorked.A: The Most Sophisticated Apache Backdoor
- Apache Binary Backdoors on Cpanel-based servers
- Malware.lu Technical Analysis of CDorked.A
- Ebury SSH Rootkit – Frequently Asked Questions (updated info, recommended!)