On Sep 11, 2013, at 18:48, E Frank Ball III <[email protected]> wrote:
> Last fall there was a debian 64-bit / nginx rootkit going around, > now I've been hit with what sounds similar but on 32-bit wheezy. > > Here's a link to info on the previous 64-bit rootkit: > https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections > This you describe is exactly what was reported to full-disclosure here: http://seclists.org/fulldisclosure/2012/Nov/94 They also say this escalates into a kernel module and you know the deal. Can't trust the machine and unless you have the resources to spare, why bother looking for the rootkit. Like someone else already said, wipe it clean, even the BIOS, and when you install the OS use something like tripwire/aide to keep a known good state of the system in some other location. The idea being that you could detect what changed if it were to happen again.
