Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#37 Malicious Apache module checks

main
closed-fixed
nobody
Rkhunter (37)
5
2014-04-18
2013-03-20
giedmaja
No

Would it be possible to add checks for malicious Apache modules like http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/ ?
Some of them can be detected by identifying strings in the modules or whitelisting/blacklisting module names (typically, it uses non-existend module name).
ls *.so | xargs strings |grep _CHECK_BOT_USERAGENT

Examples of strings typical for such malicious modules : _CHECK_BOT_USERAGENT
module switcher, dlEngine, More possible choices are listed here : http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/

Samples for testing available here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2281

Discussion

  • Evil
    Evil
    2013-12-08

    I'd like to point out that you uselessly used ls when you could have easily just run strings -f *.so | grep _CHECK_BOT_USERAGENT or even grep -ao _CHECK_BOT_USERAGENT *.so

     
    Last edit: Evil 2013-12-08
  • John Horne
    John Horne
    2013-12-08

    Except that 'strings -f' and even 'grep -a' are not standard across all UNIX distributions, hence why 'ls' is used.

     
  • unSpawn
    unSpawn
    2014-04-18

    Hopefully fixed with rkhunter-1.4.2 ClamAV sig RKH_dso.ldb.

     
  • unSpawn
    unSpawn
    2014-04-18

    • status: open --> closed-fixed