You are not logged in - [Log in]

Downtime/Security issue update

Posted by Sephiroth on 2013-05-09 22:51:39 UTC

Last month we elaborated on the downtime of a number of our services from approximately 1st April - 9th April 2013. We revealed that the downtime was a result of our admins identifying "suspicious activity" surrounding our primary server.

Three days ago, a hacking group published a document detailing some of their latest activities. In it, they claim that SwiftIRC servers were targeted because they believed that a rival group may be using our network for their own communication. The document goes on to detail how the group compromised some high profile targets including Linode and its domain registrar, all in an effort to gain access to SwiftIRC servers and consequently the unnamed rival group.

We can confirm that SwiftIRC uses Linode to host a variety of our services, and that in the early hours of April 1st 2013 we were alerted to suspicious activity on our primary server (specifically, an unexpected reboot). While investigating the cause of this reboot we also became locked out of our Linode management account. At this point we requested assistance from Linode, and thankfully they were able to rapidly investigate and disable our compromised account as well as shut down the affected server to prevent any further damage.

With the server offline and assumed secure for the time being, we began attempting to discover the root cause of this security compromise. Unfortunately, we were unable to find any explanation for the compromise through the expected channels (an admin's home computer being compromised etc.).

During our post-mortem we were also able to identify the activity that took place on our compromised server during the approximately 20 minute window that it was accessed. It appears that in addition to gathering basic information on the server itself, the attacker was attempting to create some sort of backdoor into our server as well as create a compressed archive of various locations on our server, apparently intending to retrieve it at a later date from our own web site.

However, based on what we have been able to determine, the attempts to retrieve any of our internal or user data were unsuccessful through this vector due to the limited amount of time that the server was accessible. While it appeared that the server was not irrevocably compromised, we decided to err on the side of caution and keep it offline while preparing a brand new server installation.

With regard to the allegation that this security compromise (as well as that of our service provider) was related to a "rival group" using our services, we have conducted a basic analysis of our current user base and concluded that the majority of our users and channels are legitimate. Obviously it is entirely possible for users to create private channels and discuss any subject -- controversial or not -- without oversight or knowledge from the network staff or users in general. This is a result of SwiftIRC's size and diversity, and while it is regrettably possible for a small number of users to cause trouble for the network at large, we do not believe that this is a fair reflection of SwiftIRC or its users in general.

This overall situation, if reported accurately, is concerning for us as it is unlike anything else we have seen in our 8+ years of operation. With this eye-opener on the sorts of unwanted attention our network could conceivably receive, we will endeavour to refine our own security policies and practises so that we are in a better position to avoid any further issues of this nature.

We would like to thank you for your understanding and continued support for SwiftIRC.

- The SwiftIRC Administration


Posted by spling on 2013-06-04 18:37:18 UTC
Thanks for the information Sephiroth.
I hope you're right about that-- "the attempts to retrieve any of our internal or user data were unsuccessful through this vector".
It would be interesting to have read more detail into how exactly you established that.

Posted by Dr_Rockso on 2017-09-22 22:40:47 UTC
1

SwiftIRC on Twitter
Website statistics

29 users active within 10 minutes
29 guests & 0 members
(Normal user - Administrator)
Registered users: No users are online