29.04.2013 - Thousands of web servers hacked by heavy security hole in cPanel

The malware uses only a modified httpd binary and only 6MB RAM memory. But thatŽs not all, the malware doesnŽt leave any traces in the log files, what makes tracking very difficult. The modified file is also provided with the immutable bit, which also makes it difficult to access. The administrator must first edit the file with chattr before he can replace it with a clean version.

The analysis from the outside is difficult, because the compromised server changes its behavior only once a day and IP address. A user who visits the site for the first time in a day is redirected via a redirect. More requests and administrative requests are not redirected, so it takes days to weeks until the behavior is striking. The redirected page contains additional malware (worms, trojans, viruses), which is automatically nested on the PC of visitor. A virus scanner offers in most cases not enough secure protection.

We recommend all Apache administrators who use the cPanel to administrate their servers to check of their server is already infected by the highly advanced malware and possibly implement appropriate steps to cleanup the system.