Doorways Sneak To Non-Default Ports of Hacked Servers 63
UnmaskParasites writes "To drive traffic to their online stores, software pirates hack reputable legitimate websites injecting hidden spammy links and creating doorway pages. Google's search results are seriously poisoned by such doorways. Negligence of webmasters of compromised sites makes this scheme viable — doorways remain unnoticed for years. Not so long ago, hackers began to re-configure Apache on compromised servers to make them serve doorway pages off of non-default ports, still taking advantage of using established domain names."
Re:Firewall (Score:4, Interesting)
No need to access or change the normal Apache config.
Usually they just spawn a new apache process as the hacked user with something like apache2 -d /tmp/haxorsite -c "listen 13675" ...
Suffice to gain user shell access and inject some content te serve.
Thats why any decent hosting provider uses some front end servers, eventually with mod_security, so the back-end cluster has very restricted network setup only able to talk to the front servers.