Re: debian wheezy i386 nginx iframe rootkit

To: debian-security@lists.debian.org
Subject: Re: debian wheezy i386 nginx iframe rootkit
From: Rick Moen <rick@linuxmafia.com>
Date: Wed, 11 Sep 2013 17:26:44 -0700
Message-id: <[🔎] 20130912002644.GJ7696@linuxmafia.com>
In-reply-to: <[🔎] 20130911224820.GF30351@kamajii.efball.com>
References: <[🔎] 20130911224820.GF30351@kamajii.efball.com>

Quoting E Frank Ball III (frankb@efball.com):

> Last fall there was a debian 64-bit / nginx rootkit going around,
> now I've been hit with what sounds similar but on 32-bit wheezy.

I hope you're aware that -- at least in the standard usage of the word
'rootkit' -- a rootkit doesn't 'go around', but rather is a set of
concealment software an intruder installs after breaking in via other
means, in order to hide his/her presence and processes.

> Here's a link to info on the previous 64-bit rootkit:
> https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections

Article cites Crowdstrike Blog as its source of information but then
gives the incorrect URL.  Here's the correct one: 
http://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/index.html

(Note that the page concludes that the means of entry and escalation to 
root access in the host studied is unknown.)

> This machine was built on July 19th.  I've uninstalled nginx. I'll hold
> off rebuilding for now, maybe somebody here has some ideas?

Well, for starters, if you think the machine has been root compromised,
you really cannot trust data gathered from the live system.

Reply to:

References:
- debian wheezy i386 nginx iframe rootkit
  - From: E Frank Ball III <frankb@efball.com>

Prev by Date: Re: debian wheezy i386 nginx iframe rootkit
Next by Date: Re: debian wheezy i386 nginx iframe rootkit
Previous by thread: Re: debian wheezy i386 nginx iframe rootkit
Next by thread: Re: debian wheezy i386 nginx iframe rootkit
Index(es):
- Date
- Thread