I have a standard vmbr0 setup with only containers that use venet devices.
One container with it's own IP address has a webserver where I detected that it answers requests with a javascript redirect and can act like a proxy to the webserver itself.
I thought and hoped only the container is infected and created a new one and changed IPs. But the problem is there. I then completely shutdown the container associated with that IP address.
But if I do web requests to the now offline container it still responds and returns a small HTML and javascript snippet from time to time. If not, it still sends 302 redirect headers.
So I guess it must be the host that is infected. Of course I cannot trust any command in that case (netstat, lsof; checksecurity, chkrootkit, rkhunter). They don't show anything listening on port 80. Of course there is the apache for proxmox GUI itself. But I guess it does this differently. The system is up-to-date apt-wise and the problem persists after rebooting.
Do you have any tips or recommendations how to further investigate? I would like to get to know more before installing everything from scratch and not knowing how they entered the system.
*** UPDATE
"They" replaced spiceproxy with a version of their own that acts as an open proxy. Firewall prohibits port 3128 but they managed to keep it open.
One container with it's own IP address has a webserver where I detected that it answers requests with a javascript redirect and can act like a proxy to the webserver itself.
I thought and hoped only the container is infected and created a new one and changed IPs. But the problem is there. I then completely shutdown the container associated with that IP address.
But if I do web requests to the now offline container it still responds and returns a small HTML and javascript snippet from time to time. If not, it still sends 302 redirect headers.
So I guess it must be the host that is infected. Of course I cannot trust any command in that case (netstat, lsof; checksecurity, chkrootkit, rkhunter). They don't show anything listening on port 80. Of course there is the apache for proxmox GUI itself. But I guess it does this differently. The system is up-to-date apt-wise and the problem persists after rebooting.
Do you have any tips or recommendations how to further investigate? I would like to get to know more before installing everything from scratch and not knowing how they entered the system.
*** UPDATE
"They" replaced spiceproxy with a version of their own that acts as an open proxy. Firewall prohibits port 3128 but they managed to keep it open.
Last edited: