Hello Peter, which services are you running at this host, maybe there are still some artefacts? for compromised servers you can try this one .. http://rootkit.nl/projects/rootkit_hunter.html
regards, Frz On Aug 31, 2012, at 3:59 PM, Peter Viskup <[email protected]> wrote: > On 08/31/2012 12:24 PM, Mathias Ertl wrote: >> Hi Peter, >> >> On Fri, Aug 31, 2012 at 02:01:06AM +0200, Peter Viskup wrote: >>> let me inform you all internal ejabberd databases of server >>> jabber.sk were stolen. Please inform us in case you will be facing >>> any suspicious activity from jabber.sk accounts. We already >>> performed infrastructure inventory and it looks like they were >>> interested only in ejabberd databases. >>> Attacker used IP 188.126.79.56 which is registered in Sweden and one >>> local system account was compromised. >>> Will inform you once will have some other important information for you. >> Did you find out how the attacker gained access? Was any Jabber software >> used to gain access? >> >> greetings, Mati >> > Hi Mathias and all, > at this time we do not have evidence about any Jabber software used to gain > access. They used weakness in our hosting infrastructure to access some of > our systems. But we do not know how they reached ejabberd databases till now > and the investigation is still ongoing. > It looks like they were interested only in ejabberd databases as they didn't > break any hosting service despite they got root access on one of our systems. > It could be related to activities of syrian people using our server on last > months. > I am going to contact owner of that IP and ask them for help to get more > information about this break attempt. > > -- > Peter
