Hi, neko.im had a similar experience about a year ago, though I'm unsure if anything was actually stolen. They broke in via www - presumably some old and insecure PHP, from IP 83.149.126.66, which, if I recall correctly, was owned by a datacentre in Sweden at that time. I filed an abuse notice, but never heard anything back.
I haven't heard of any suspcious activity from jabber.sk, though two of my users have reported suspicious activity on their own accounts - might have taken the hackers this long, I suppose. If anyone hears anything, please do let me know. The mass-MUC creation from Syria is well known to me, I've had to block room-creation from non-local users. Sincerely, Nulani. On 1 September 2012 14:00, <[email protected]> wrote: > Send Operators mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://mail.jabber.org/mailman/listinfo/operators > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Operators digest..." > > > Today's Topics: > > 1. Re: Jabber.sk - stolen ejabberd databases (Mathias Ertl) > 2. Re: Jabber.sk - stolen ejabberd databases (Peter Viskup) > 3. Re: Jabber.sk - stolen ejabberd databases (Friedrich Kron) > 4. Re: Jabber.sk - stolen ejabberd databases (Mathias Ertl) > 5. Re: Jabber.sk - stolen ejabberd databases (Peter Saint-Andre) > 6. Re: Jabber.sk - stolen ejabberd databases (Thomas Camaran) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 31 Aug 2012 12:24:55 +0200 > From: Mathias Ertl <[email protected]> > To: [email protected] > Subject: Re: [Operators] Jabber.sk - stolen ejabberd databases > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > Hi Peter, > > On Fri, Aug 31, 2012 at 02:01:06AM +0200, Peter Viskup wrote: >> let me inform you all internal ejabberd databases of server >> jabber.sk were stolen. Please inform us in case you will be facing >> any suspicious activity from jabber.sk accounts. We already >> performed infrastructure inventory and it looks like they were >> interested only in ejabberd databases. >> Attacker used IP 188.126.79.56 which is registered in Sweden and one >> local system account was compromised. >> Will inform you once will have some other important information for you. > > Did you find out how the attacker gained access? Was any Jabber software > used to gain access? > > greetings, Mati > > -- > I only read plain text mail! I prefer pgp|gpg signed & encrypted mails! > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 198 bytes > Desc: Digital signature > URL: > <http://mail.jabber.org/pipermail/operators/attachments/20120831/2bfad3cb/attachment-0001.pgp> > > ------------------------------ > > Message: 2 > Date: Fri, 31 Aug 2012 15:59:10 +0200 > From: Peter Viskup <[email protected]> > To: [email protected] > Subject: Re: [Operators] Jabber.sk - stolen ejabberd databases > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8; format=flowed > > On 08/31/2012 12:24 PM, Mathias Ertl wrote: >> Hi Peter, >> >> On Fri, Aug 31, 2012 at 02:01:06AM +0200, Peter Viskup wrote: >>> let me inform you all internal ejabberd databases of server >>> jabber.sk were stolen. Please inform us in case you will be facing >>> any suspicious activity from jabber.sk accounts. We already >>> performed infrastructure inventory and it looks like they were >>> interested only in ejabberd databases. >>> Attacker used IP 188.126.79.56 which is registered in Sweden and one >>> local system account was compromised. >>> Will inform you once will have some other important information for you. >> Did you find out how the attacker gained access? Was any Jabber software >> used to gain access? >> >> greetings, Mati >> > Hi Mathias and all, > at this time we do not have evidence about any Jabber software used to > gain access. They used weakness in our hosting infrastructure to access > some of our systems. But we do not know how they reached ejabberd > databases till now and the investigation is still ongoing. > It looks like they were interested only in ejabberd databases as they > didn't break any hosting service despite they got root access on one of > our systems. > It could be related to activities of syrian people using our server on > last months. > I am going to contact owner of that IP and ask them for help to get more > information about this break attempt. > > -- > Peter > > > ------------------------------ > > Message: 3 > Date: Fri, 31 Aug 2012 16:10:34 +0200 > From: Friedrich Kron <[email protected]> > To: XMPP Operators Group <[email protected]> > Subject: Re: [Operators] Jabber.sk - stolen ejabberd databases > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > Hello Peter, > > which services are you running at this host, maybe there are still some > artefacts? for compromised servers you can try this one .. > http://rootkit.nl/projects/rootkit_hunter.html > > regards, Frz > > > On Aug 31, 2012, at 3:59 PM, Peter Viskup <[email protected]> wrote: > >> On 08/31/2012 12:24 PM, Mathias Ertl wrote: >>> Hi Peter, >>> >>> On Fri, Aug 31, 2012 at 02:01:06AM +0200, Peter Viskup wrote: >>>> let me inform you all internal ejabberd databases of server >>>> jabber.sk were stolen. Please inform us in case you will be facing >>>> any suspicious activity from jabber.sk accounts. We already >>>> performed infrastructure inventory and it looks like they were >>>> interested only in ejabberd databases. >>>> Attacker used IP 188.126.79.56 which is registered in Sweden and one >>>> local system account was compromised. >>>> Will inform you once will have some other important information for you. >>> Did you find out how the attacker gained access? Was any Jabber software >>> used to gain access? >>> >>> greetings, Mati >>> >> Hi Mathias and all, >> at this time we do not have evidence about any Jabber software used to gain >> access. They used weakness in our hosting infrastructure to access some of >> our systems. But we do not know how they reached ejabberd databases till now >> and the investigation is still ongoing. >> It looks like they were interested only in ejabberd databases as they didn't >> break any hosting service despite they got root access on one of our systems. >> It could be related to activities of syrian people using our server on last >> months. >> I am going to contact owner of that IP and ask them for help to get more >> information about this break attempt. >> >> -- >> Peter > > > > ------------------------------ > > Message: 4 > Date: Fri, 31 Aug 2012 17:23:03 +0200 > From: Mathias Ertl <[email protected]> > To: XMPP Operators Group <[email protected]> > Subject: Re: [Operators] Jabber.sk - stolen ejabberd databases > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > On Fri, Aug 31, 2012 at 03:59:10PM +0200, Peter Viskup wrote: >> It could be related to activities of syrian people using our server >> on last months. > > We have seen massive abuse from Syrian and Russian IPs, (i.e. mass-MUC > creation), where they claimed to be Syrian. This was already discussed > off-list. If they start attacking servers, this gets to a whole new level! > > greetings, Mati > > -- > I only read plain text mail! I prefer pgp|gpg signed & encrypted mails! > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 198 bytes > Desc: Digital signature > URL: > <http://mail.jabber.org/pipermail/operators/attachments/20120831/51fd1c34/attachment-0001.pgp> > > ------------------------------ > > Message: 5 > Date: Fri, 31 Aug 2012 09:31:10 -0600 > From: Peter Saint-Andre <[email protected]> > To: XMPP Operators Group <[email protected]> > Subject: Re: [Operators] Jabber.sk - stolen ejabberd databases > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 8/31/12 9:23 AM, Mathias Ertl wrote: >> On Fri, Aug 31, 2012 at 03:59:10PM +0200, Peter Viskup wrote: >>> It could be related to activities of syrian people using our >>> server on last months. >> >> We have seen massive abuse from Syrian and Russian IPs, (i.e. >> mass-MUC creation), where they claimed to be Syrian. This was >> already discussed off-list. If they start attacking servers, this >> gets to a whole new level! > > Agreed. > > At jabber.org we recently experienced some massive DoS attacks. We > still have not verified the source or purpose of those attacks. > > Peter > > - -- > Peter Saint-Andre > https://stpeter.im/ > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.18 (Darwin) > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ > > iEYEARECAAYFAlBA2L4ACgkQNL8k5A2w/vyzdQCgh/dRHsRpzOIra2n9mXDDG5Gt > S78AoIR//SftUlzWmQ4y53MMayNx08rI > =gE4V > -----END PGP SIGNATURE----- > > > ------------------------------ > > Message: 6 > Date: Fri, 31 Aug 2012 17:36:47 +0200 > From: Thomas Camaran <[email protected]> > To: XMPP Operators Group <[email protected]> > Subject: Re: [Operators] Jabber.sk - stolen ejabberd databases > Message-ID: > <CAMsUAdGaS720fF0r=bs=aywsaz5zx62auknm1dajtalrfkb...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > hi, > in chatme.im i was an anomal trafic from jabber.ru > > 2012/8/31 Peter Saint-Andre <[email protected]>: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 8/31/12 9:23 AM, Mathias Ertl wrote: >>> On Fri, Aug 31, 2012 at 03:59:10PM +0200, Peter Viskup wrote: >>>> It could be related to activities of syrian people using our >>>> server on last months. >>> >>> We have seen massive abuse from Syrian and Russian IPs, (i.e. >>> mass-MUC creation), where they claimed to be Syrian. This was >>> already discussed off-list. If they start attacking servers, this >>> gets to a whole new level! >> >> Agreed. >> >> At jabber.org we recently experienced some massive DoS attacks. We >> still have not verified the source or purpose of those attacks. >> >> Peter >> >> - -- >> Peter Saint-Andre >> https://stpeter.im/ >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG/MacGPG2 v2.0.18 (Darwin) >> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ >> >> iEYEARECAAYFAlBA2L4ACgkQNL8k5A2w/vyzdQCgh/dRHsRpzOIra2n9mXDDG5Gt >> S78AoIR//SftUlzWmQ4y53MMayNx08rI >> =gE4V >> -----END PGP SIGNATURE----- > > > ------------------------------ > > _______________________________________________ > Operators mailing list > [email protected] > http://mail.jabber.org/mailman/listinfo/operators > > > End of Operators Digest, Vol 54, Issue 1 > ****************************************
