Apache CDorked backdoor detection

Critical Nessus Network Monitor Plugin ID 6800

Synopsis

The remote host is running a backdoor

Description

The remote host seems to be infected with the Apache CDorked backdoor. This backdoor allows a remote user to create a shell and/or pass the server commands via specially crafted HTTP requests. In addition, the backdoor is used to further infect web clients by redirecting them to sites which infect the client with malware.

Solution

Manually clean the infected machine by replacing the trojan http binary. See the referenced link for more detection tools.

See Also

http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole

Plugin Details

Severity: Critical

ID: 6800

Family: Backdoors

Published: 2013/05/09

Modified: 2016/01/15

Dependencies: 1442

Risk Information

Risk Factor: Critical