Rootkit hack in tokao's server

October 28, 2010

Well, sorry tokao have been offline few hours.

After rebooting the server after a year or so, I noticed weird things, like “who”  and “top” were not working, some directories were not there (like the log one), cpu was 100% all times… yeap, tokao server was compromised on the 26th of October, so yesterday after taking a careful look at what have been done, I closed all ports to the manchine and tonight I have migrated tokao to another more secure server.

Tokao was running on centOS and the rootkit was done via a hole in my old apache. The server was at home with a big UPS and 1Mb DSL upstream, enough for tokao. I had secured ssh with webknock.

Well after 8 years, this is the perfect excuse to upgrade my old CentOS to the newest Ubuntu.

Now tokao is in a VPS Ubuntu machine with the latest updates… while I decide where to host it. I have not tested all. I see that some stuff still does not work (like url rewrite). Working on it 😉

.

1 comment

  1. Comment by dani

    dani Reply October 28, 2010 at 11:01 am

    To allow url rewrite in the .htaccess should be:

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    Then:
    sudo a2enmod rewrite
    Then restart apache:
    sudo /usr/sbin/apache2ctl graceful

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go top