[Operators] Jabber.sk - stolen ejabberd databases

Peter Viskup skupko.sk at gmail.com
Fri Aug 31 13:59:10 UTC 2012


On 08/31/2012 12:24 PM, Mathias Ertl wrote:
> Hi Peter,
>
> On Fri, Aug 31, 2012 at 02:01:06AM +0200, Peter Viskup wrote:
>> let me inform you all internal ejabberd databases of server
>> jabber.sk were stolen. Please inform us in case you will be facing
>> any suspicious activity from jabber.sk accounts. We already
>> performed infrastructure inventory and it looks like they were
>> interested only in ejabberd databases.
>> Attacker used IP 188.126.79.56 which is registered in Sweden and one
>> local system account was compromised.
>> Will inform you once will have some other important information for you.
> Did you find out how the attacker gained access?  Was any Jabber software
> used to gain access?
>
> greetings, Mati
>
Hi Mathias and all,
at this time we do not have evidence about any Jabber software used to 
gain access. They used weakness in our hosting infrastructure to access 
some of our systems. But we do not know how they reached ejabberd 
databases till now and the investigation is still ongoing.
It looks like they were interested only in ejabberd databases as they 
didn't break any hosting service despite they got root access on one of 
our systems.
It could be related to activities of syrian people using our server on 
last months.
I am going to contact owner of that IP and ask them for help to get more 
information about this break attempt.

--
Peter


More information about the Operators mailing list