BuycPanel Blog

BuycPanel Blog

Latest news and updates

1/16/2015 – Apache Binary Backdoors on cPanel

Posted by Jamison on 16 01 2015.

Talks about the recent attacks of apache binary backdoors on websites and cPanel are rapidly growing and it seems like tracing the severity of this virus is barely discernible.  Apache backdoors is not just any other simple virus. The damage this attacker can do to your website is far more than the ordinary.


Thousands, if not millions have fallen victims


As of the records, thousands of websites are confirmed to have been infected with the backdoor. With so many web servers and websites that are using Apache, spreading the virus takes only a blink of an eye while users remain oblivious of the attack—and this alone makes it so hard to recognize that their servers are already compromised.


Tricky and barely traceable


Codenamed as Linux/Cdorked.A and Darkleech, Righard Zwienenberg, Eset senior researcher, announced that this virus is one of the recent and most powerful intrusions to websites that runs on Apache platform. And what’s more is that it is highly undetectable even by hi-end malware and virus scanners. The attacker links the system through obfuscated HTTP requests.


Activities and history of Darkleech leaves no footprints of any infected hosts on your cPanel as well as hard drives. All data are stored in a shared memory so as to remain undetected.


How servers are being attacked


Until today, there is no known credible evidence as to how Cdorked is being injected to servers and cPanels. Sucuri—a security firm that protects websites from hackers, said on its blog post that their speculations are that it could be through force attacks. However, following how other viruses attack websites, it is said that the backdoor injects code into web servers that expose visitors to infected third-party websites. With their recent observations, they have seen that attackers change Apache binary (httpd) into a malicious replica.


As far as the website’s appearance is concerned, you won’t find anything suspicious at all. The only thing you can observe is that it asks you about server-related stuff randomly and disguise a malicious redirect so that the activity is harder to notice.


Detection needs significant effort


While Sucuri know that it takes an arduous task to detect Apache binary backdoor, spotting it with the use of equally sophisticated malware removal tools is possible. However, be advised that this attacker does not only take simple commands to detect and finally remove it on your cPanel.


What can you do to protect your website, your business?


The best way to protect your company website is to ask for help from your web provider to cooperate with you on how to detect if your website has been compromised or if the website is protected from Darkleech.


Indications that your cPanel or website has been attacked should show the following manifestations:


  1. Its domain name usually changes.
  2. It uses this IP address:


While it is possible to detect if your website is being compromised, ensuring high-end protection to your site is needed as the Darkleech’s spread of virus is still ongoing.