Aliases
Linux/Cdorked.A, Darkleech
Tags
BackdoorLinux
Incidents
Cdorked campaign
References
https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/https://www.virusbulletin.com/conference/vb2014/abstracts/ebury-and-cdorked-full-disclosure/https://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/
Last edited
Feb 19, 2025 2:15 PM
Cdorked is a backdoor malware targeting Linux web servers, including Apache, Nginx, and Lighttpd. It stealthily redirects website visitors to malicious sites hosting exploit kits like Blackhole, without leaving traces in server logs. Cdorked stores its configuration in shared memory, avoiding disk writes to evade detection. Attackers can remotely update its configuration via obfuscated HTTP requests, enabling dynamic control over redirection rules and targets. The malware has been linked to the Windigo operation, compromising thousands of servers to distribute malware and spam.