Re: debian wheezy i386 nginx iframe rootkit

To: "frankb@efball.com" <frankb@efball.com>
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: debian wheezy i386 nginx iframe rootkit
From: Luis Mondesi <lemsx1@gmail.com>
Date: Thu, 12 Sep 2013 06:52:00 -0400
Message-id: <[🔎] 38132498-B4AA-4595-BF6F-036DE216FE4D@gmail.com>
In-reply-to: <[🔎] 20130911224820.GF30351@kamajii.efball.com>
References: <[🔎] 20130911224820.GF30351@kamajii.efball.com>

On Sep 11, 2013, at 18:48, E Frank Ball III <frankb@efball.com> wrote:

Last fall there was a debian 64-bit / nginx rootkit going around,
now I've been hit with what sounds similar but on 32-bit wheezy.

Here's a link to info on the previous 64-bit rootkit:
https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections

This you describe is exactly what was reported to full-disclosure here:

http://seclists.org/fulldisclosure/2012/Nov/94

They also say this escalates into a kernel module and you know the deal.

Can't trust the machine and unless you have the resources to spare, why bother looking for the rootkit.

Like someone else already said, wipe it clean, even the BIOS, and when you install the OS use something like tripwire/aide to keep a known good state of the system in some other location. The idea being that you could detect what changed if it were to happen again.

Reply to:

References:
- debian wheezy i386 nginx iframe rootkit
  - From: E Frank Ball III <frankb@efball.com>

Prev by Date: Re: debian wheezy i386 nginx iframe rootkit
Next by Date: Re: debian wheezy i386 nginx iframe rootkit
Previous by thread: Re: debian wheezy i386 nginx iframe rootkit
Next by thread: How secure is an installation with with no non-free packages?
Index(es):
- Date
- Thread