geekhack

Site Announcements and Feedback => Announcements/Feedback/Suggestions => Topic started by: sth on Wed, 21 November 2012, 19:53:39

Title: heads up, nginx exploit
Post by: sth on Wed, 21 November 2012, 19:53:39

http://www.h-online.com/open/news/item/Rootkit-infects-Linux-web-servers-1753969.html

Title: Re: heads up, nginx exploit
Post by: alaricljs on Wed, 21 November 2012, 21:17:40

While that's interesting it does not indicate that nginx is the culprit.  Whatever infected his system is using kernel modules and root level processes to hijack data between nginx and the NIC.  Would probably do the same thing with apache.

So until someone serious figures out the infection vector, this is just some dude that got pwned in an unknown way.

Title: Re: heads up, nginx exploit
Post by: sth on Wed, 21 November 2012, 21:21:48

sorry i kind of smushed that all together.
it's either a buggy or replaced kernel module that they were able to get on the system or exploit on a system that already had it, and then load it when it is needed. then, to actually take advantage of the rootkit they were able to exploit a different hole in nginx.

i know this stuff is usually very focused in the nix world compared to windows servers. i also don't know or care to know anything about the hardware/software that GH runs on but it's hard not to know that the site runs on top of nginx when we see timeouts from time to time :)

the reason i was a bit alarmed and decided to post was because it affects a very stable kernel (the one used in deb6). creative destruction!

Title: Re: heads up, nginx exploit
Post by: alaricljs on Wed, 21 November 2012, 21:33:05

What hole in nginx?  It's sticking code in the network handling part of the kernel.  Has nothing to do with nginx.

Title: Re: heads up, nginx exploit
Post by: sth on Wed, 21 November 2012, 21:37:10

from what i gathered they were serving up malware pages using nginx. no mention of other webservers.

if you don't think it's a big deal I trust you :)

Title: Re: heads up, nginx exploit
Post by: alaricljs on Wed, 21 November 2012, 21:49:29

deeper in it is explained that nginx was producing the correct response and it was mangled inside the kernel between nginx and the network stack.

Title: Re: heads up, nginx exploit
Post by: sth on Wed, 21 November 2012, 21:53:14

Quote from: alaricljs on Wed, 21 November 2012, 21:49:29

deeper in it is explained that nginx was producing the correct response and it was mangled inside the kernel between nginx and the network stack.

got it. i've been paging back to the exploit analysis in between work stuff and getting a better picture of it.
i raise the alarm as soon as i see smoke, no fire necessary :P

Title: Re: heads up, nginx exploit
Post by: SmallFry on Thu, 22 November 2012, 12:29:31

Somebody PM iMav, I know he runs nginx.

Title: heads up, nginx exploit
Post by: sth on Thu, 22 November 2012, 14:52:51

It's not an nginx exploit afawk :p

Title: Re: heads up, nginx exploit
Post by: mkawa on Fri, 23 November 2012, 09:39:31

who says we're even running deb6?