[ISN] Root kit surfaces after Jabber attack

[InfoSec News]

http://www.theregister.co.uk/2005/02/02/jabber_attack/

By John Leyden
2nd February 2005 

The Jabber Software Foundation (JSF) - the open source instant
messaging organisation - has advised developers to check their code,
after discovering that a hack attack against its website was more
serious than first suspected.

An audit conducted on JSF's web servers after an intrusion two weeks
ago revealed a root kit on a machine hosting both the jabber.org
website and the JabberStudio service. Subsequent investigations
revealed the machine (hades.jabber.org) had been compromised for more
than a year. The affected machine has been rebuilt and fully locked
down.

Dynamically generated pages were disabled on the site and the
JabberStudio service was temporarily suspended as a precaution after
JSF detected the January assault. JSF Executive Director Peter
Saint-Andre said in a recent update that Jabber.org will restore its
website to normal operation when it is satisfied that there is no
security risk.

Developers are urged to validate their code as a precaution. However,
evidence suggests that other servers in the jabber.org infrastructure
(such as the production Jabber server or the mailing list server) were
unaffected by the security breach. Neither does much mischief seem to
have been perpetrated on the compromised server.

It's rare, but not unprecedented, for malicious hackers to load
backdrops onto the web servers of application developers. Crackers
owned the primary file servers of the GNU Project for five months in
2003, the Free Software Foundation admitted.

In May 2001, infamous cracker Fluffy Bunny bragged that he had
compromised the systems of the Apache Project. In October 2000,
Microsoft's systems were comprehensively compromised by a cracker
using the QAZ Trojan. Weeks later Microsoft's core web sites were
again 0wn3d in an attack that went beyond the usual web page
defacement.