Apache dynamic module infected

Hill, Greg grhill at corp.untd.com
Tue Jan 22 18:05:00 MST 2008

> Has anyone heard about this Apache exploit?  Supposedly there is a
> infection using Apache's dynamic module.
> Mass host hack bigger than first thought, hits 10,000 sites
> Some hacked Apache servers reinfected even after clean-up and Linux
> reinstall
> http://tinyurl.com/28obnf
> http://tinyurl.com/22clxe

According to the article: "Jackson's can't prove how the sites were
originally hacked, but all the evidence points to the theft of log-on

> Is this for real or is this merely a isolated problem blow out of
> proportion to cause FUD?  If this is for real, the articles did not
> explain how you can detect if you were infected, or how to disable
> Apache's dynamic module.
> Is there a "dynamic module" module or is it referring to any module
> is loaded by the LoadModule directive?  If the later is the case than
> any site hosting SSL or PHP or any number of other items would be
> disabled.  I am hoping the former is the case and there is some
> mysterious "dynamic module" module to be disabled.  Any ideas?

I'm assuming they mean a DSO (Dynamic Shared Object), in that once they
get on to the server, they load a DSO into Apache that adds the
malicious code.

The bigger question is why admins are reinstalling with the same logon
credentials if they think that's how they got in to begin with.


More information about the PLUG mailing list