Security

Screenshot Purports to Show Hackers with Root Access on MediaDefender Server in April

Nearly two months ago a group of hackers released to BitTorrent a trove of e-mails, source code and other materials that they grabbed from a compromised server or servers belonging to anti-piracy company MediaDefender. Today I obtained a screenshot of a log purporting to show the hackers with root access on the MediaDefender server on […]

Mediadefender_root_hack
Nearly two months ago a group of hackers released to BitTorrent a trove of e-mails, source code and other materials that they grabbed from a compromised server or servers belonging to anti-piracy company MediaDefender. Today I obtained a screenshot of a log purporting to show the hackers with root access on the MediaDefender server on April 10th of this year.

I can't verify the authenticity of the log, which could have been fabricated, but the log shows the hackers with root on a server referred to as "PM" at the following IP address: 65.120.42.146.

An internal MediaDefender e-mail that was among those seized by the hackers and released to BitTorrent in September shows MediaDefender employees discussing the hacked "PM" server and its IP address -- the IP address that appears in the log screenshot. That e-mail (shown below) is dated two months after the log showing MediaDefender's server compromised.

From: Norman Heath [mailto:XXXX@mac.com]

Sent: Wednesday, June 06, 2007 7:02 PM

To: it

Cc: Gerald Rode; Jay Mairs; Ivan Kwok; Gilberto Vargas

Subject: pm webserver

The 65.120.42.146 pm webserver has been compromised.

What I need Gerald to do is backup everything on this server. You have to SSH to it from another box in the office, as you can't get to it from the outside world. So back it up to the munger server or dcmaster or wherever. Use the 'scp' command to do this or another method.

IT is creating another web server with CentOS 5 on it. When they are done they will give it an IP and email Gerald this IP. We need this new server to be the fully functional pm server by 9 am in the morning. At this time we will give the new server the 65.120.42.146 IP and all will be back to normal. We are going to swap servers basically.

As a side note, please do not ever use the old passwords on anything. Every other hacker in the world has those passwords, because we used them for years on our windows servers.

Ty

MediaDefender didn't respond to a call for comment today. The company also didn't respond to repeated calls in September seeking authentication of the e-mails. But after the e-mails were leaked to BitTorrent, MediaDefender sent a series of takedown notices to sites hosting the e-mails claiming them as trade secrets.

It's unclear when the hackers first breached MediaDefender's security, but a note the hackers posted with some of the purloined material indicates that they'd breached MediaDefender's security as early as January of this year.

See Also: