Comments on: Malicious Apache module used for content injection: Linux/Chapro.A http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: Stephen Cobb http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/#comment-3872 Fri, 22 Feb 2013 02:45:00 +0000 http://blog.eset.com/?p=16171#comment-3872 Sylvain — Thanks for the offer. Please send it to us by the following method (starting at point #2): http://kb.eset.com/esetkb/index?page=content&id=SOLN141

]]>
By: Sylvain Thibault http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/#comment-3869 Thu, 21 Feb 2013 07:12:00 +0000 http://blog.eset.com/?p=16171#comment-3869 I just found a version on my host under mod_load_mime.so was loaded from perl.conf. LMK if you want the file for investigation.

]]>
By: David Harley http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/#comment-3818 Thu, 20 Dec 2012 14:44:48 +0000 http://blog.eset.com/?p=16171#comment-3818 Looks as if it’s the same module as discussed at http://eromang.zataz.com/2012/12/20/isnt-linuxchapro-a-only-darkleech-apache-module/ and http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/: we’ve only just become aware of those posts. So there’s no indication at this point of evolution.

]]>
By: David Harley http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/#comment-3817 Thu, 20 Dec 2012 14:38:29 +0000 http://blog.eset.com/?p=16171#comment-3817 I’m not aware of any comment made by Apache. I don’t know how many banks use Apache server – quite a lot, I suspect – but we only know of one compromised in this way, at present.

]]>
By: David Harley http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/#comment-3816 Thu, 20 Dec 2012 14:37:07 +0000 http://blog.eset.com/?p=16171#comment-3816 Erik, we can’t be sure at present. See my later blog http://blog.eset.com/2012/12/20/malicious-apache-module-a-clarification.

]]>
By: Pierre-Marc Bureau http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/#comment-3815 Thu, 20 Dec 2012 14:09:42 +0000 http://blog.eset.com/?p=16171#comment-3815 As pointed out here: http://eromang.zataz.com/2012/12/20/isnt-linuxchapro-a-only-darkleech-apache-module/ it appears that what we call Linux/Chapro.A has already been publicly discussed here http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/by UnmaskParasites.

We were not aware of this material before publishing this blog.  Thank you Eric Romang for pointing this out.

]]>
By: Med http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/#comment-3814 Thu, 20 Dec 2012 11:44:02 +0000 http://blog.eset.com/?p=16171#comment-3814 Hello,
thank you for these informations, i ask if there any reaction from APach foudation,
and if there statistics about number of banques using apache server ?
And thank you again

]]>
By: erik http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/#comment-3813 Thu, 20 Dec 2012 11:43:52 +0000 http://blog.eset.com/?p=16171#comment-3813 How does this malicious Apache module get on the linux webserver?
 

]]>
By: Andrew http://www.welivesecurity.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a/#comment-3812 Wed, 19 Dec 2012 15:44:26 +0000 http://blog.eset.com/?p=16171#comment-3812 Hello,
 
Do you know if the sample(s) you have found are significantly different than those found a few months ago? (i.e. ). It would be interesting to see if the malware is evolving its capabilities.

]]>