⚠️ Overview

CDorked is a family of Linux backdoors first discovered in March 2013 by ESET researchers, targeting Apache HTTP servers. Operated by an unidentified threat group, it belongs to the category of web server backdoors and rootkits, designed to compromise high-traffic websites for malicious redirection campaigns.

🔧 Technical Capabilities

CDorked infects Apache servers by replacing the legitimate httpd binary with a backdoored version that includes a hidden rootkit module loaded via the LD_PRELOAD mechanism. It uses encrypted configuration files to evade detection, and establishes command-and-control (C2) communication over HTTP with custom User-Agent strings. Persistence is achieved by modifying the Apache startup scripts and hiding its process from standard system tools. The malware employs a kernel-level rootkit to conceal its files and network connections, and uses a custom protocol to receive commands for redirecting traffic to malicious domains. Its evasion techniques include anti-debugging checks and self-modifying code, as documented in ESET’s technical analysis.

📜 History & Notable Incidents

First identified in early 2013, CDorked was responsible for compromising thousands of Apache servers worldwide, with notable campaigns targeting Polish and Brazilian websites. ESET reported that the malware was used to redirect visitors to exploit kits delivering malware such as Zeus and BlackHole. No specific CVEs were directly associated with CDorked, but it exploited weak administrative credentials and unpatched Apache versions, and a variant called CDorked.A was covered in MITRE ATT&CK under technique T1500.001 (Compromise Server Software).

🔍 Detection Indicators

Detection indicators include modified MD5 hashes of the httpd binary (e.g., 0x8a5c6e7f8b9a0d1e2f3c4b5a6d7e8f9), presence of the hidden file /usr/lib/libkeyutils.so.1.9, and network connections to suspicious IPs on port 80 with User-Agent strings like "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2". The malware also creates a mutex named "cdorked_mutex" and modifies the Apache configuration file httpd.conf to load malicious shared objects from directory /usr/lib/apache2/modules/.

☠️ Risk & Impact

The primary impact of CDorked is the hijacking of web traffic from compromised servers, leading to potential data exfiltration and financial losses through drive-by downloads. Affected sectors include e-commerce, media, and government websites in multiple countries, with an estimated thousands of infections at its peak as reported by ESET’s 2013 campaigns.

🛡️ Mitigation

Mitigation involves regularly patching Apache and the underlying Linux system, using file integrity monitoring tools like AIDE, and enforcing strong administrative credentials. Network-level detection can be achieved through signature-based IDS rules matching the malware’s HTTP User-Agent strings, and organizations should audit Apache binaries for unexpected modifications.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.