Author Topic: heads up, nginx exploit (Read 5074 times)

sth · « **on:** Wed, 21 November 2012, 19:53:39 »

http://www.h-online.com/open/news/item/Rootkit-infects-Linux-web-servers-1753969.html

alaricljs · « **Reply #1 on:** Wed, 21 November 2012, 21:17:40 »

While that's interesting it does not indicate that nginx is the culprit. Whatever infected his system is using kernel modules and root level processes to hijack data between nginx and the NIC. Would probably do the same thing with apache.

So until someone serious figures out the infection vector, this is just some dude that got pwned in an unknown way.

sth · « **Reply #2 on:** Wed, 21 November 2012, 21:21:48 »

sorry i kind of smushed that all together.
it's either a buggy or replaced kernel module that they were able to get on the system or exploit on a system that already had it, and then load it when it is needed. then, to actually take advantage of the rootkit they were able to exploit a different hole in nginx.

i know this stuff is usually very focused in the nix world compared to windows servers. i also don't know or care to know anything about the hardware/software that GH runs on but it's hard not to know that the site runs on top of nginx when we see timeouts from time to time

the reason i was a bit alarmed and decided to post was because it affects a very stable kernel (the one used in deb6). creative destruction!

alaricljs · « **Reply #3 on:** Wed, 21 November 2012, 21:33:05 »

What hole in nginx? It's sticking code in the network handling part of the kernel. Has nothing to do with nginx.

sth · « **Reply #4 on:** Wed, 21 November 2012, 21:37:10 »

from what i gathered they were serving up malware pages using nginx. no mention of other webservers.

if you don't think it's a big deal I trust you

alaricljs · « **Reply #5 on:** Wed, 21 November 2012, 21:49:29 »

deeper in it is explained that nginx was producing the correct response and it was mangled inside the kernel between nginx and the network stack.

sth · « **Reply #6 on:** Wed, 21 November 2012, 21:53:14 »

Quote from: alaricljs on Wed, 21 November 2012, 21:49:29

deeper in it is explained that nginx was producing the correct response and it was mangled inside the kernel between nginx and the network stack.

got it. i've been paging back to the exploit analysis in between work stuff and getting a better picture of it.
i raise the alarm as soon as i see smoke, no fire necessary

SmallFry · « **Reply #7 on:** Thu, 22 November 2012, 12:29:31 »

Somebody PM iMav, I know he runs nginx.

sth · « **Reply #8 on:** Thu, 22 November 2012, 14:52:51 »

It's not an nginx exploit afawk

mkawa · « **Reply #9 on:** Fri, 23 November 2012, 09:39:31 »

who says we're even running deb6?

News:

Author Topic: heads up, nginx exploit (Read 5074 times)

sth

heads up, nginx exploit

alaricljs

Re: heads up, nginx exploit

sth

Re: heads up, nginx exploit

alaricljs

Re: heads up, nginx exploit

sth

Re: heads up, nginx exploit

alaricljs

Re: heads up, nginx exploit

sth

Re: heads up, nginx exploit

SmallFry

Re: heads up, nginx exploit

sth

heads up, nginx exploit

mkawa

Re: heads up, nginx exploit