Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


New Linux Rootkit

  • Please log in to reply
2 replies to this topic

#1 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,530 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:10:34 PM

Posted 03 December 2012 - 09:51 PM

Security researchers have discovered what appears to be an experimental Linux rootkit designed to infect its highly select victims during a classic drive-by website attack. The malware allows hackers to inject code directly in any infected web page. The new malware, discovered on November 13 of this year, was written especially for servers that run Debian Squeeze and NGINX, on 64 bits.
Read more at http://thehackernews.com/2012/12/new-linux-rootkit-attacks-internet-users.html#y4LjTgCBXMO4yeOT.99

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

BC AdBot (Login to Remove)


#2 DarkSnake-Kobra


  • Members
  • 633 posts
  • Gender:Male
  • Location:Iowa, USA
  • Local time:10:34 PM

Posted 05 December 2012 - 09:51 PM

Interesting. The problem is that this only works on 64 Bit versions of Squeeze and run the Linux Kernel 2.6.32-5-amd64. I don't see this working as long as hired administrators are doing their jobs and keeping the server updated. The amount of impacted servers should be very minimal (I hope that is).

Edited by DarkSnake-Kobra, 05 December 2012 - 09:51 PM.

#3 Minh Triet Pham Tran

Minh Triet Pham Tran

  • Members
  • 110 posts
  • Gender:Male
  • Local time:10:34 PM

Posted 22 December 2012 - 11:38 AM

The original disclosure from Full Disclosure mailing list:
Full Disclosure: linux rootkit in combination with nginx

Some technical research links:
CrowdStrike: HTTP iframe Injecting Linux Rootkit
New 64-bit Linux Rootkit Doing iFrame Injections - Securelist
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users