All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hetzner abuse message
kalimov622
Member
I currently have several cloud instances with hetzner running for several months on windows 2012 and so far everything was fine. I decided to create a couple new CX11 ones the other day running windows 2008 R2 Standard this time since it takes less space and my app doesn't need more than 1 GB ram really, the problem is that an hour or so after my cloud is ready and without installing anything except the OS itself I'm getting automated abuse message from Hetzner regarding a Netscan coming from the cloud ip address, upon checking with netstat -n there are indeed some listed
Tue Oct 22 01:26:04 2018 TCP 159.69.xx.xxx 58361 => 13.18.xxx.x82 445
Tue Oct 22 01:26:19 2018 TCP 159.69.xx.xxx 61371 => 13.19.xxx.x04 445
Tue Oct 22 01:26:33 2018 TCP 159.69.xx.xxx 64385 => 13.31.xx.x5 445
I have enabled the netframework 3.5 feature in the OS and installed chrome and redistributable packages for 2008 and 2012 that are required for my app to run and that's about it. Is there maybe an exploit with the netframework 3.5? Should I run all windows 2008 updates due to an older exploit that may exist on this OS? Should I completely block port 445 (SMB)?
I only seem to have this problem with the new deployed cloud.
Comments
Well.. you already answer your question..
"Should I perform all windows 2008 updates"
mhm, probably the first thing you should be doing anyway?
Isn't it odd for this to happen in less than an hour since the fresh install though? That's what I find strange, the short time interval besides it never happend before. I've removed the cloud already, will be trying a fresh install and get the OS updates right away and see if it makes any difference.
Blocked SMB entirely as well and seems the problem is gone for now, thanks for the answers too. Guess there is more aggressive port scanning these days on older OS
It is not odd.. since this is internet era..
Nope, not odd. I've seen fresh installs on popular hosts (OVH, Hetzner) getting hacked within 30 minutes if left unpatched.
About 2 months after eternal blue was released I was still seeing probes for it every few minutes, always run updates immediately.
Windows 2008 is easily compromised using SMB protocol if you don't run the updates immediately. You should NOT be running Windows 2008 if it's not updated. You'll likely get hacked within a few hours.
Thanks for the answers, didn't realized this could happen so fast in W2K8 nowadays as it was literally minutes. Made the proper updates and everything is fine now.
@kalimov622,
One quick question not related to your problem, sorry if it is wrong thread. I wanted to move to Hetzner cloud for my remote desktop, do you use Windows with VNC or remote desktop on Hetzner cloud? Do you found it doing well on Hetzner cloud over time?
Are you not an MSDN subscriber? It's called Windows Fast Login System (WFLS), it allows anyone anywhere in the world to connect to Windows machine and use it immediately after installation. After Bill Gates left active role in the company Microsoft is very open (windows 10, github, mscode) and believes everyone deserve to use Windows machine even if they didn't pay for it.
@gks, I use RDP and so far I'm happy with Hetzner cloud, the uptime is pretty good too. Two downtimes within ~7 months, one for about 6 minutes (I think this was caused by a general outage few months ago) and the other more recent one for 2 minutes.
I had the same problem with all update.
Not at all. Hetzner IP ranges are well known/(ab)used. I've had login/bruteforce attempts within minutes of deploying new cloud instances in the past. Sad, but true.
Welcome to the Internet. Collect your firewall towel from the lobby.
They should have some filters installed to detect bruteforce attempts.
Indeed, I did say within an hour but it was literally minutes like even before I was able able to finish my coffee and run those updates. I didn't used Hetzner for quite a while before having these cloud servers deployed several months ago and wasn't up to date of how much their ip ranges are being abused these days.