Possible security hole in Linux/Apache Web servers
If you're running an Apache Web server on Linux with a control panel overlay to help you manage your hosting service, your server may have been infected with a "mystery malware" that exploits vulnerabilities in your customers use of QuickTime, Yahoo! Messenger, and Windows. To test if your Web server is affected, try to create a directory starting with a number:
mkdir 1
According to cPanel "This rootkit can be cleaned by booting the server into a safe environment and moving the previous binary back in place." I would recommend changing your root password and any user password with sudo access to a new strong password as well, before you move it out of the safe environment.
According to Computer World, the earliest victims were people running Web servers on large hosting companies.
Comments
You say to test this by creating a directory with a name starting with a number — but you don’t say what the symptoms will be if the server’s infected. Will this crash the server? Fail to run? Give an error message? I’m not clear on how I’ll know if something’s wrong.
Jane: I’m not really sure what any of the answers to those questions are. I just posted the note with links to the relevant sites that set up the alert in the first place.
I am not a security expert, I’m a Web developer. I feel that security of Web servers is something that all Web developers should be concerned with, so I report things like this when I find them.
From what I could gather this is a hack into the root of your server - in and of itself this won’t do anything. But it gives the hacker complete access to all your files, data, Web site, anything on that server. They could then do anything they wanted using your machine, from running a spam-bot with your machine as a zombie to posting porn on your website to taking down your entire server network.