On 08/31/2012 12:24 PM, Mathias Ertl wrote:
Hi Peter,
On Fri, Aug 31, 2012 at 02:01:06AM +0200, Peter Viskup wrote:
let me inform you all internal ejabberd databases of server
jabber.sk were stolen. Please inform us in case you will be facing
any suspicious activity from jabber.sk accounts. We already
performed infrastructure inventory and it looks like they were
interested only in ejabberd databases.
Attacker used IP 188.126.79.56 which is registered in Sweden and one
local system account was compromised.
Will inform you once will have some other important information for you.
Did you find out how the attacker gained access? Was any Jabber software
used to gain access?
greetings, Mati
Hi Mathias and all,
at this time we do not have evidence about any Jabber software used to
gain access. They used weakness in our hosting infrastructure to access
some of our systems. But we do not know how they reached ejabberd
databases till now and the investigation is still ongoing.
It looks like they were interested only in ejabberd databases as they
didn't break any hosting service despite they got root access on one of
our systems.
It could be related to activities of syrian people using our server on
last months.
I am going to contact owner of that IP and ask them for help to get more
information about this break attempt.
--
Peter
