Apache Attack Invisible to Usual Investigative Methods

A new, widespread attack against the Apache web server appears to have infected a large number of systems. The so-called "CDorked" attack is very difficult to detect because it hides its evidence in shared memory rather than on the file system. The only file-system level evidence is obfuscated within the httpd binary.

Eset has released a python script to help administrators verify whether the httpd binary has been affected.

The H Security reports that this particular attack can be detected by looking for the string "open_tty" in the Apache program directory, eg:
grep -r open_tty /usr/local/apache/

The immutable bit is also set on the compromised binaries, which can make it more difficult to fix the problem. For example,
chattr -ai /usr/local/apache/bin/httpd

The only real way to defend against/detect attacks like this would be to run file integrity checking software to look for changing checksums when binaries are altered or replaced.