Eset has released a python script to help administrators verify whether the httpd binary has been affected.
The H Security reports that this particular attack can be detected by looking for the string "open_tty" in the Apache program directory, eg:
grep -r open_tty /usr/local/apache/
The immutable bit is also set on the compromised binaries, which can make it more difficult to fix the problem. For example,
chattr -ai /usr/local/apache/bin/httpd
The only real way to defend against/detect attacks like this would be to run file integrity checking software to look for changing checksums when binaries are altered or replaced.
No comments:
Post a Comment