Dan Goodin, editor at Ars Technica, has been tracking and compiling info on an elusive series of website compromises that could be impacting tens of thousands of otherwise perfectly legitimate sites. While various researchers have reported various segments of the attacks, until Dan’s article, no one had connected the dots and linked them all together.

Dubbed “Darkleech,” thousands of Web servers across the globe running Apache 2.2.2 and above are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious Apache modules. These modules are then used to turn hosted sites into attack sites, dynamically injecting iframes in real-time, only at the moment of visit.

Because the iframes are dynamically injected only when the pages are accessed, this makes discovery and remediation particularly difficult. Further, the attackers employ a sophisticated array of conditional criteria to avoid detection:

  • Checking IP addresses and blacklisting security researchers, site owners, and the compromised hosting providers;
  • Checking User Agents to target specific operating systems (to date, Windows systems);
  • Blacklisting search engine spiders;
  • Checking cookies to “wait list” recent visitors;
  • Checking referrer URLs to ensure visitor is coming in via valid search engine results.

When the iframe is injected on the page, the convention used for the reference link in the injected iframe is IP/hex/q.php. For example:

The nature of the compromise coupled with the sophisticated conditional criteria presents several challenges:

  • Website owners/operators will not be able to detect or clean the compromise as (a) it is not actually on their website, and (b) most will not have root-level access to the webserver;
  • Even if website owners/operators suspect the host server may be the source, they would still need to convince the hosting provider, who may discount their report;
  • Even if the hosting provider is responsive, the malicious Apache modules and associated SSHD backdoor may be difficult to ferret out, and the exact method will vary depending on server configuration;
  • Since SSHD is compromised, remediation of the attack and preventing further occurrences may require considerable procedural changes that, if not carried out properly, could cause a privilege lockout for valid administrators or be ineffective and lead to continued compromise.

The magnitude of the problem becomes clear when one considers how widespread these attacks are.  The following chart illustrates the geographic location of infected host servers observed from February 1–March 15, 2013. (Click the chart to view in full size).


For additional info and links to specific remediation advice, see: Ongoing malware attack targeting Apache hijacks 20,000 sites


Mary Landesman

Senior Security Researcher

Cisco TRAC