If your website uses the Apache, nginx, and Lighttpd Web servers, it may be under a malware attack. Your site may also be sharing that malware with your customers. As Ars Technica explained:
Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider ESET said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because ESET sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.
The malware had been affecting primarily Apache servers for some time now. The discovery that the malware is more widespread than originally thought came days ago. Understanding the specifics of the malware – how it works, where it came from – is a work in progress. In fact, ESET’s Marc-Etienne M. Leveille wrote:
We still don’t know for sure how this malicious software was deployed on the web servers. We believe the infection vector is not unique. . . . One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software. Linux/Cdorked.A is a backdoor, used by malicious actor to serve malicious content from legitimate websites.
What the malware does is modify Web server binaries on targeted sites, and then the malicious binary will redirect users to a malicious site, one that loaded with the Blackhole exploit kit.
Users of iPhones and iPads are also affected by this malware, only mobile users are sent to porn sites.
The malware is only run on servers and is not downloaded to the hard drive. Researchers say it can be detected, but I haven’t come across any suggestions on how to avoid the malware or to fix the problem. That will come eventually, as researchers get a better understanding of the malware. And we are only getting reports from one security company. Are others seeing the malware problem as well?
This looks like a story that we’ll need to keep watching to see how it unfolds.