Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# This script dumps the content of a shared memory block
# used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin
# when the machine is infected.
# Some of the data is encrypted. If your server is infected and you
# would like to help, please send the httpd_cdorked_config.bin
# to our lab for analysis. Thanks!
# Marc-Etienne M.Léveillé <>
from ctypes import *
SHM_SIZE = 6118512
SHM_KEY = 63599
rt = CDLL('')
rt = CDLL('')
shmget = rt.shmget
shmget.argtypes = [c_int, c_size_t, c_int]
shmget.restype = c_int
shmat = rt.shmat
shmat.argtypes = [c_int, POINTER(c_void_p), c_int]
shmat.restype = c_void_p
shmid = shmget(SHM_KEY, SHM_SIZE, 0o666)
if shmid < 0:
print "System not infected"
addr = shmat(shmid, None, 0)
f = file(OUTFILE, 'wb')
print "Dumped %d bytes in %s" % (SHM_SIZE, OUTFILE)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment