Home / server / Questions / 503959
In Process
Don Rhummy
Asked: 2013-05-01 10:21:04 +0800 CST

How do I protect an Apache (in LAMP) install against the Apache Linux/Cdorked.A backdoor?

  • 772

Just like the title asks, what can I do to protect against infection by the Apache Linux/Cdorked.A backdoor?

linux

2 Answers

  1. to check if you're compromised:

    strings /path/to/httpd | egrep open_tty

    if grep returns ANY line, you're compromised.

    it looks like the mode of breakage is via brute force ssh. So best practices to protect your server is: disable the root account, use sudo, and disables ANY user that has /bin/bash login, AND enforce good passwords or no passwords at all and use ssh keys.

    • 2

  2. As Marcel says good password policy is a must in any case.

    ssh keys is a fantastic idea, (and) disabling password login on sshd is also great but often not practical.

    see: ssh-copy-id (or you can do it by hand) FWIW I set up different key pairs for almost every account.

    Also consider a detection software like rkhunter , chkrootkit or some other tripwire type tools.

    Finally run monitoring tools like monit. (many others)

    These tools can be configured to checksum most any file and scream on alterations to sizes permissions restarts etc etc.

    Some quickly googled refs:

    http://www.debian.org/devel/passwordlessssh

    http://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-software/

    • 1