On Thu, Sep 12, 2013 at 07:15:57PM +0900, Joel Rees wrote: > > > The lynx webrowser shows this as the first line of the webpages: > > Local on the machine in question or external?
external. > > IFRAME: http://122.226.137.123:1111/yixi.exe > > > > It also appears in downloads using wget. > > "view source" in firefox or chrome show nothing amiss. External. I figure firefox and chrome discard the new line, since it's not appropriate before the doctype. > > It only appears on IPv4, not IPv6. > > Again, are the browsers local to the machine in question or accessing > from the network? External. > Okay, so, if it isn't something on an external box hijacking the IP > address of the box in question, it's a local process or set of > processes hijacking port 80 and trying unsuccessfully to be a > pass-through proxy. Yes. The same as the rootkit in 64-bit squeeze last year. > How much time/resources can you afford to spend on trying to pin the > intrusion vector down? > > Although, I'd hesitate to use the box for anything important, even > after a complete wipe/install, unless the BIOS can be safely restored > from a write-protected backup image. And I'd try to be careful enough > during the install that if the exploit were repeated, I'd notice > immediately and thus be able to pin the thing more closely. > > Maybe build the server as a VM and take snapshots as you go. Or > rebuild it on a different machine, with the old server reboot from a > live CD before each major step and use the tools on the live CD to > take the snapshots. > > -- > Joel Reese This is a KVM virtual machine in a datacenter. No BIOS. I can wait a few days to rebuild. It's off right now, I'm not going to trust it for anything. E Frank Ball [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
