On Thu, May 2, 2013 at 10:09 AM, Miguel Gonzalez <miguel_3_gonza...@yahoo.es > wrote:
> Dear all, > > I've been searching in the archives of the mailing list and I don't see > any reference to the Cdorked.A backdoor: > > > http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/?goback=.gde_3496714_member_236822728 > > Anyone knows any way of detecting the binary has been compromised? > Since the backdoor resides in shared memory, it can be detected by inspecting this memory region. A simple C program has been developed to check the presence Cdorked.A backdoor in the shared memory, I have pasted it here: http://apaste.info/01f9 I can't tell from experience if this has a 100% 'detection rate' for the backdoor, but it looks like a solid way of checking your server for infection. (Credits to Marc-Etienne M.Léveillé <levei...@eset.com> for this utility) > > Regards, > > Miguel > -- Gr, Mathijs
