ESET 
is reporting in their blog that the linux webserver exploit is much further spread than first reported – with exploited Apache, Lighttpd and nginx servers being found – this means that the stealthy redirecting malware that infects webservers has the potential to infect many, many more servers than first thought.
Our investigation around Linux/Cdorked.A continues. Since our initial post about this sophisticated and stealthy backdoor designed to drive traffic to malicious websites, we have made further significant discoveries:
- We have observed more than 400 webservers infected with Linux/Cdorked.A. Out of these, 50 are ranked in Alexa’s top 100,000 most popular websites.
- The backdoor has been applied to other webserver daemons. Thanks to the information provided by affected system administrators, we were able to analyze trojanized Lighttpd and nginx binaries in addition to the already documented Apache binaries.
- According to our global telemetry data, this operation has been active since at least December 2012.
- The Linux/Cdorked.A threat is even more stealthy than we first thought: By analysing how the attackers are configuring the backdoor, we found it will not deliver malicious content if the victim’s IP address is in a very long list of blacklisted IP ranges, nor if the victim’s internet browser’s language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian.
- Our telemetry data shows that almost 100,000 users of ESET security products have browsed infected websites due to Linux/Cdorked.A redirection, although the attack was blocked by those products.
- In some of the configurations we were able to analyze, specific redirections were configured for Apple iPad and iPhone users.
In this blog post, we will provide additional information on the capabilities of the backdoor. We will also describe the typical configurations we were able to analyze and the malicious payload that was delivered to victims. In a typical attack scenario, victims are redirected to a malicious web server hosting a Blackhole exploit kit. We have discovered that this malicious infrastructure uses compromised DNS servers, something that is out of the ordinary. We will provide more information on this peculiarity in the last section of this post.
Businesses with linux web servers would be well advised to check if their Apache, lihttpd or nginx servers have been compromised – details in the orginal ESET blog article.