Web servers are being hacked by injecting false Apache modules and SSH backdoors. Hackers are not taking advantage of system’s security weaknesses but rather stealing the login information from the web servers.
Several alterations to the web server files such as httpd.conf file and /etc/httpd/conf.d were caused by this bug. It can be difficult to detect as it is random and often changes. The SSH binary files were also changed, allowing hackers to extract user’s credentials. The replacement of files maintains the hackers’ access to the web server. Even after the administrator has changed the password, they can still recover the control over the affected servers.
In addition, what makes the false Apache module quite seamless is that it has the same timestamp like the genuine modules. This is due to the fact that Apache modules can be quite easy to tamper with. This occurrence can be complex too making it harder to detect.
Some online forums have mentioned that this may be related to DarkLeech but it is still indeterminate if SSH backdoor is an additional component. There are now online information that shows how it works and what is infected. But, how hackers gain root access is not yet identified.
Bottom line is, if you see any suspicious changes n the SSH binaries, this is a warning! To make sure that your server would not be compromised further, better reinstall the system to reload the authentic Apache modules and SSH binary just to be on the safe side.