Posted by orkutmuratyilmaz on May 9, 2013 at 8:16am
I've seen this post today:
http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-a...
It looks like something went terrible.
What should we do with our servers and Drupal installations?
Comments
If I understood correctly the backdoor
relies on code added to each server source. Unless you use something like CPanel or rely on nginx packages built without verifying the source package and not signed I don't see how it can creep in.
Also be wary of the
nginx-fullor similar packages from Debian and Ubuntu. They have everything and the kitchen sink inside. I build my own packages and tailor the build for the task. Compiling in modules on a needed basis.It's important to verify the source if you're building it yourself (Nginx has a key available from GnuPG servers). I would say that the safest bet is to build it yourself and sign it with your own key. Yes it's a bit of work, but then you're certain that unless the Nginx servers were compromised and the release signing key also there's a slim chance of such a backdoor creeping in.
Use Samhain or a similar utility to keep an eye on the installed Nginx binary.
I recall that I would
I recall that I would occasionally be accessing a "normal" site on my iPhone and then suddenly be redirected to a porn site ad, as mentioned on that page. I just figured it was some client-side pop-up which was sneaking around the blocker or something. Would have never considered a server-side exploit of the server daemon. Hasn't happened in the last six months or so though…
The Boise Drupal Guy!