Maybe you have noticed that this page loads faster than before – especially faster than it did the last two weeks or so. Maybe you wonder too, why there was this downtime at the end of march.
I won’t go into many details, but gnegg.ch (and a whole lot of other stuff) is now running on a brand new server (slightly faster machine) with Gentoo Linux using a 2.6.4 Kernel.
This due to some sucker hacking into the older machine last march, installing a quite destabilizing rootkit (thanks for that… this lead me to notice the crack quite fast…), modifying a lot of html-files and php.ini so that nearly every page served contained a IFRAME utilizing a IE exploit to install some kind of dialer (the IFRAME linked to forced-action.com). The wonderful and gratifying work of this unknown and soooo cool guy caused me to return home from vacation to do some rescuing work.
This is not the usual stinking phpNuke-Exploit (we were not running any phpNuke anyway) as this would not lead to a rootkit getting installed.
Again: Many thanks for your “hard work”, dear anonymous hacker. You got me the much needed opportunity to finally install Gentoo. And not only that: You even got me a faster Server to work on (to prevent any further downtime during reinstallation of the new OS). Now that this episode finally has come to an end, I will have a look at those disk-images I took from the compromised machine. Let’s see what I find out.