{
	"id": "4b357ed0-a92d-4f97-af2f-034edd49a299",
	"created_at": "2026-04-06T00:12:27.649226Z",
	"updated_at": "2026-04-10T03:21:57.432947Z",
	"deleted_at": null,
	"sha1_hash": "aadb6cdab02f240825c4fe4e75bdb715a856afb0",
	"title": "Linux/CDorked FAQs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68171,
	"plain_text": "Linux/CDorked FAQs\r\nBy Mary Landesman,\r\nPublished: 2013-05-01 · Archived: 2026-04-05 15:24:07 UTC\r\nLast Friday (April 26), ESET and Sucuri simultaneously blogged about the discovery of Linux/CDorked, a\r\nbackdoor impacting Apache servers running cPanel. Since that announcement, there has been some confusion\r\nsurrounding the exact nature of these attacks. Rather than reinvent the analysis that has already been done, this\r\nblog post is intended to clear up some of the confusion.\r\nWhen did Linux/CDorked first appear?\r\nAccording to Cisco TRAC analysis, the first encounter was on March 4, 2013.\r\nHow is Linux/CDorked related to DarkLeech?\r\nThe appearance of Linux/CDorked coincided with a drop in the number of DarkLeech infections, an indication the\r\nattacker(s) may be one and the same.\r\nUnlike DarkLeech, the Linux/CDorked infections appear to be only targeting Apache servers with cPanel\r\ninstalled. Conversely, DarkLeech was found on servers running a variety of control panels (or not). \r\nWhy are cPanel installs being targeted?\r\nThat cPanel installs are targeted does not imply attackers are exploiting a vulnerability in cPanel to gain access.\r\nRather, Linux/CDorked exploits the fact that cPanel doesn’t use a packaging system to install Apache. This, along\r\nwith some logging differences, makes it much more difficult to detect the backdoor on Apache servers running\r\ncPanel, which is key to its success.\r\nHow are attackers gaining access to the host servers?\r\nHow the attackers are gaining root access to begin with is a separate matter, still unresolved. Attackers may have\r\nstolen login credentials via phishing, or via a localized infection on a management system, or simply by brute-force guessing the login.\r\nWho are the compromised hosts?\r\nThe compromised host servers observed thus far have all been smaller, less mainstream providers. This is also in\r\ncontrast to DarkLeech, which netted some significantly sized host providers in those attacks.\r\nHow many websites have been affected?\r\nWhile there have been thousands of encounters with Linux/CDorked injected sites, decoding the URLs reveals\r\nonly a few hundred compromised sites, unlike DarkLeech, which affected thousands of innocent websites.\r\nThe size (number of impacted websites) isn’t the whole story, however. The Linux/CDorked attacks appear to be\r\nin concert with local trojan Medfos infections. The Medfos family of trojans installs browser extensions which\r\nautomatically redirect search results when clicked. As a result, 37% of the encounters with the Linux/CDorked\r\ninjected sites have been via searches performed on Google, Bing, and Yahoo.\r\nhttps://blogs.cisco.com/security/linuxcdorked-faqs\r\nPage 1 of 3\n\nWhat exploits are involved?\r\nThe Linux/CDorked attackers are using Blackhole exploit kit v4. Hence, when a Web surfer clicks through a link\r\nto one of the sites hosted on the compromised server, the visited URL is base64 encoded before the request is\r\nhanded off to the malware domain. The exploits we’ve observed have been a mix of known PDF and Java\r\nexploits, no zero days. Thus far, all observed malware domains (the actual redirect destination) track back to 7\r\nunique IP addresses:\r\n94.23.48.114\r\n62.212.130.115\r\n178.17.41.212\r\n109.123.66.30\r\n94.242.251.151\r\n94.23.47.211\r\n87.229.26.138\r\nReference Links:\r\nLinux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole\r\nApache Binary Backdoors on Cpanel-based servers\r\nMalicious Apache Linux/Cdorked.A Trojan in Compromised Web Servers\r\nAdmin beware: Attack hitting Apache websites is invisible to the naked eye\r\nApache DarkLeech Compromises\r\nAuthors\r\nCisco Cybersecurity Viewpoints\r\nWhere security insights and innovation meet. Read the e-book, see the video, dive into the infographic and more...\r\nhttps://blogs.cisco.com/security/linuxcdorked-faqs\r\nPage 2 of 3\n\nWhy Cisco Security?\r\nExplore our Products \u0026 Services\r\nSource: https://blogs.cisco.com/security/linuxcdorked-faqs\r\nhttps://blogs.cisco.com/security/linuxcdorked-faqs\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blogs.cisco.com/security/linuxcdorked-faqs"
	],
	"report_names": [
		"linuxcdorked-faqs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434347,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aadb6cdab02f240825c4fe4e75bdb715a856afb0.pdf",
		"text": "https://archive.orkl.eu/aadb6cdab02f240825c4fe4e75bdb715a856afb0.txt",
		"img": "https://archive.orkl.eu/aadb6cdab02f240825c4fe4e75bdb715a856afb0.jpg"
	}
}