Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
How exactly a hetzner dedicated server is compromised ?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

How exactly a hetzner dedicated server is compromised ?

I have a hetzner server, reinstall it fresh. Because, the term on my current provider is not finished yet, I don't use immediately. About a week later, I got email from hetzner.

I know I can just reinstall it again, it's just I am curious. How is a fresh installed dedicated server got compromised ?

Does the password sent by email in plain text is intercepted by middleman ? does hetzner database compromised ?

I mean is it possible to login to a server without a password at all ? If it's possible, I want to know how ?

As of right now, I just reinstalled the server and turned it off.

«1

Comments

  • serv_eeserv_ee Member
    edited September 30

    You mean a fast-flux email? Just got one as well

    I swear to drunk Im not god

  • @serv_ee said:
    You mean a fast-flux email? Just got one as well

    Yes, the fast-flux one. Glad to hear the other suffer the same fate as I did. So, I am not alone ? does it mean Hetzner screws up ?

  • ChristianDSHChristianDSH Member, Provider

    There are bots scanning for easy passwords via SSH Bruteforce, maybe thats how it got compromised?

    DeinServerHost.de :: VPS, Dedicated Servers, Teamspeak and Gameservers hosted in Germany, Frankfurt - Includes Combahton DDoS Protection - VPS from only 1€/mo https://deinserverhost.de/vserver-mieten

  • @yokowasis said:

    @serv_ee said:
    You mean a fast-flux email? Just got one as well

    Yes, the fast-flux one. Glad to hear the other suffer the same fate as I did. So, I am not alone ? does it mean Hetzner screws up ?

    Well the domain that was in the end of the email doesn't match mine what so ever so I'm just guessing it was someone who used the server before me. (Auction server)

    Haven't had the chance to look at the logs yet. My server is also set to host.allow sshd just my IP so I doubt someone got in.

    I swear to drunk Im not god

  • @ChristianDSH said:
    There are bots scanning for easy passwords via SSH Bruteforce, maybe thats how it got compromised?

    The password generated by hetzner is anything but easy.

    @serv_ee said:

    @yokowasis said:

    @serv_ee said:
    You mean a fast-flux email? Just got one as well

    Yes, the fast-flux one. Glad to hear the other suffer the same fate as I did. So, I am not alone ? does it mean Hetzner screws up ?

    Well the domain that was in the end of the email doesn't match mine what so ever so I'm just guessing it was someone who used the server before me. (Auction server)

    Haven't had the chance to look at the logs yet. My server is also set to host.allow sshd just my IP so I doubt someone got in.

    But why now though? I have had the server for about 1 week.

  • No idea to be honest. I got that one for months on end now.

    Maybe @Hetzner_OL has any idea? Also the email states that it's up to you if you take any action at all so I doubt it's anything too serious.

    I swear to drunk Im not god

  • @yokowasis said: About a week later, I got email from hetzner.

    what exactly did it say, this email?

    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • @Falzo said:

    @yokowasis said: About a week later, I got email from hetzner.

    what exactly did it say, this email?

    INCIBE-CERT has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet.

    Something something

    We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.

  • I just noticed that the IP in the email is the secondary IP for the server not the main one to begin with. That IP isn't even in use.

    I swear to drunk Im not god

  • I’ve had this happen to me before too, server was idling and fully hardened

  • I also get the same info, is this valid, I don't know, but my server has no suspicious activity

    Dear Team,

    INCIBE-CERT has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet.

    As you are probably aware, Fast Flux botnets are built upon a network of compromised machines in order to provide better reliability to their evil deeds.
    We can only infer that the detected domains are indeed fast flux domains from the DNS resolution. However, finding its IP address belonging to a fast flux domain is a strong indicator that a given host is compromised (or has been in the past, sometimes the evildoer fails to promptly remove the ip from the fast flux domain).

    We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.

    At the bottom of this email you can find the information, concerning the hosts under your constituency that have been gathered since our last notification, as well as attached for your convenience.

    The file is formatted as follows:

    [Timestamp] [IP] [Domain] [Country] [AS]

    Timestamp format is dd/mm/yyyy hh:mm:ss UTC

    As this information is collected from public services, you can share it with other involved entities (like ISPs, CERTs or other companies).

    We hope this information regarding the security of your customers/clients results useful for you. In case of further questions, or if you need any help on this issue, please feel free to contact us at .

    You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it.

    Thank you.
    Best Regards,

    1- https://en.wikipedia.org/wiki/Fast_flux

    --
    INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute
    https://www.incibe-cert.es/

    Claves PGP: https://www.incibe-cert.es/sobre-incibe-cert/claves-publicas-pgp

    INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

  • Maybe its an automated email to everyone lol?

    I swear to drunk Im not god

  • @serv_ee said:
    Maybe its an automated email to everyone lol?

    Why hetzner sending broadcast email from an abuse email ? with subject abuse id.

    @Hetzner_OL we demand an explanation.

  • "We demand"? I aint demanding anything.

    I swear to drunk Im not god

  • @serv_ee said:
    "We demand"? I aint demanding anything.

    We as in, I, me and myself.

  • Don't get me wrong. It would be nice to know the root cause of this but "demand" isn't exactly the word you should use. And maybe a faster response youd get is from their support.

    I swear to drunk Im not god

  • deankdeank Member, Troll

    Indeed, "demand" isn't the word you should use.

    Sue, instead.

    There are two things that make Earth spin: Money and PMS.

  • Let me know if you don’t want this server. :)

    "Across the Great Wall we can reach every corner of the world"

  • Hetzner is forwarding an email they get from INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute as they are legally required to. If you want to pitch a bitch then yell at them.

    It's the same situation when you run Proxmox with open RPCBIND, ignore them and just go about your business.

    Thanked by 2Falzo Hetzner_OL
  • seriesnseriesn Member, Top Provider

    @yokowasis said: Does the password sent by email in plain text is intercepted by middleman ? does hetzner database compromised ?

    If you are using regular password based authentication and left the Default SSH port (22) open, without any form of bruteforce protection, it wouldn't take too long for anyone to break in :(

    Thanked by 1Hetzner_OL
  • @PHDan said:
    Hetzner is forwarding an email they get from INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute as they are legally required to. If you want to pitch a bitch then yell at them.

    It's the same situation when you run Proxmox with open RPCBIND, ignore them and just go about your business.

    How exactly is a German company legally obligated to forward Spanish institute letters?

    I swear to drunk Im not god

  • @PHDan said:
    Hetzner is forwarding an email they get from INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute as they are legally required to. If you want to pitch a bitch then yell at them.

    It's the same situation when you run Proxmox with open RPCBIND, ignore them and just go about your business.

    Usually when you ignore abuse email, bad things happened. Hetzner shouldn't have sent it from abuse email. I am not used to ignoring abuse email. When I got abuse email, something must be wrong is the first sentence that comes to my mind.

  • jackbjackb Member, Provider

    @yokowasis said:

    @PHDan said:
    Hetzner is forwarding an email they get from INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute as they are legally required to. If you want to pitch a bitch then yell at them.

    It's the same situation when you run Proxmox with open RPCBIND, ignore them and just go about your business.

    Usually when you ignore abuse email, bad things happened. Hetzner shouldn't have sent it from abuse email. I am not used to ignoring abuse email. When I got abuse email, something must be wrong is the first sentence that comes to my mind.

    Then don't ignore it - tell them you think it's a mistake and explain why

    Afterburst - Awesome OpenVZ&KVM VPS in US+EU

  • PHDanPHDan Member
    edited September 30

    @yokowasis said: Usually when you ignore abuse email, bad things happened. Hetzner shouldn't have sent it from abuse email. I am not used to ignoring abuse email. When I got abuse email, something must be wrong is the first sentence that comes to my mind.

    Then you haven't used Hetzner all that much.

    Edit: I get it, it's embarrassing when you scream "FIRE" in a room where someone lit a candle, and you're trying to save face but really this is a shitload of nothing.

    Thanked by 2TimboJones NanoG6
  • See https://laracasts.com/discuss/channels/forge/abuse-reported-botnet-from-a-laravel-forge-created-server and my answer. I doubt that your server is compromised.

    See https://blogs.akamai.com/2017/10/digging-deeper-an-in-depth-analysis-of-a-fast-flux-network-part-three.html

    "Analysis of the U.S. IP addresses shows that many of those IP addresses belong to Fortune 100 companies, as well as military organizations, probably being used as fake entries on the nameserver associated with the given domains.

    The Enterprise Threat Protector security research team suspects that these IP addresses are not compromised machines and that the presence of these IP addresses on the nameserver can be explained as a technique being used by C&C network owners designed to inherit the reputation of the associated organizations. Inspection of such domains by law enforcement or security vendors can result in misleading conclusions on the nature of the domains and the associated IP addresses."

    I'm pretty sure that this is the case and this CERT thought all the IP addresses are compromised and contacted everyone.

  • martinhuwamartinhuwa Member
    edited September 30

    Old and different story. Still, I think in this case the Fast Flux network used many fake IP addresses to irritate researchers as this is often the case.

    chkrootkit and rkhunter should find nothing malicious.

  • So your take is that Hetzner is going to terminate the services of every dedicated server that shows up on this scan?

    Again, this is nothing. But as a provider they have to notify everyone that potentially may be affected to catch the 1 time out of 1000. If they didn't then the 1 case would do shit like this thread but with "WhY HetZNEr no TELL Me?!?!"

    For the sake of Katie's sanity I hope Hetzner has deemed forums like this place to be lost causes and focus on the non shitty clients.

  • Hetzner does not simply terminate anything. They just forward the emails. So as already mentioned: the email can be probably ignored.

    Thanked by 1Hetzner_OL
  • The fear of consequences is understandable but there happens nothing if you ignore the email or answer: "I think this is not correct / a false positive"

    Thanked by 1Hetzner_OL
  • raindog308raindog308 Administrator, Moderator

    @LightBlade said: machines under your constituency

    You were elected to run this server?

    Thanked by 1Aidan

    For LET support, please visit the support desk.

  • @PHDan said: For the sake of Katie's sanity I hope Hetzner has deemed forums like this place to be lost causes and focus on the non shitty clients.

    >

    So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now? Gotcha.

    I swear to drunk Im not god

  • yokowasisyokowasis Member
    edited September 30

    @PHDan said:

    @yokowasis said: Usually when you ignore abuse email, bad things happened. Hetzner shouldn't have sent it from abuse email. I am not used to ignoring abuse email. When I got abuse email, something must be wrong is the first sentence that comes to my mind.

    Then you haven't used Hetzner all that much.

    Edit: I get it, it's embarrassing when you scream "FIRE" in a room where someone lit a candle, and you're trying to save face but really this is a shitload of nothing.

    Yeah, I said it. I have been using hetzner for 1 week. Using is not the righ term, because I haven't used the server yet.

    And I am not trying to save face or anything. I just looking for some info, get the info, mission accomplished.

    If you want to use fire analogy, it's the fireman who scream fire. I am not aware of any fire, asking the townfolks, they also hear the fire warning, and they explain, it's jsut the thing that fireman does. Screaming false positive fire alert.

  • PHDanPHDan Member
    edited September 30

    @serv_ee said: So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now?

    No, opening a topic that's a passive aggressive shot at Hetzner ("does hetzner database compromised ?") is.

    Edit: https://www.lowendtalk.com/discussion/comment/3136340/#Comment_3136340

    [@yokowasis said] The rules doesn't aplly to Some providers, OVH and Hetzner are two of those providers.

  • @PHDan said:

    @serv_ee said: So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now?

    No, opening a topic that's a passive aggressive shot at Hetzner ("does hetzner database compromised ?") is.

    It's a genuine question. You either login without password, or with password. Hence the next question.

    I mean is it possible to login to a server without a password at all ?

  • @yokowasis said: It's a genuine question.

    Bullshit. You have a chip with Hetzner, your comments show it.

  • @PHDan said:

    @serv_ee said: So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now?

    No, opening a topic that's a passive aggressive shot at Hetzner ("does hetzner database compromised ?") is.

    Edit: https://www.lowendtalk.com/discussion/comment/3136340/#Comment_3136340

    The rules doesn't aplly to Some providers, OVH and Hetzner are two of those providers.

    Yea I agree the wording could have been a little better but not everyones english is perfect to chose form a ton of words.

    To be fair when I got the email today I thought of making a topic about it as well asking but then I remembered my .allow .deny rules to begin with. Not everyone is always up to date with abuse emails and of course they can scare a person. But "demanding" stuff is already a different subject.

    And as for your edit, I havent been here as long as most but Ive yet to see Hetzner doing any promos at all.

    I swear to drunk Im not god

  • @serv_ee said: And as for your edit,

    My apologies, I was having trouble with the edits and the links. The gist is that the OP has a bug about Hetzner already.

  • @PHDan said:

    @yokowasis said: It's a genuine question.

    Bullshit. You have a chip with Hetzner, your comments show it.

    WTF is a chip ?

    Yeah, you do you mate. You can call me bullshit, I also can call you bullshit. I have nothing against Hetzner, this thread opened is solely with the assumption that my server "IS" hacked, otherwise I wont be reinstalling and turning of my server.

    Asking for the advice where is the possible entry point so it wont happened again in the future.

    But sure, you know better. Whatever mate. cheers. Have a good day.

  • Ah yes, when called out make sure you flip the table...

  • I swear to drunk Im not god

  • @PHDan said:

    @serv_ee said: So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now?

    No, opening a topic that's a passive aggressive shot at Hetzner ("does hetzner database compromised ?") is.

    Edit: https://www.lowendtalk.com/discussion/comment/3136340/#Comment_3136340

    [@yokowasis said] The rules doesn't aplly to Some providers, OVH and Hetzner are two of those providers.

    This is out of context, it's based on my experience and what I remember. I remember vaguely about Hetzner, (or is it Online.net) but OVH / Kimsufi is definitely has been allowed to break rules in the past.

    You want to accuse me I have something against OVH too ? fine by me.

  • as others pointed out hetzner forwards such mails they get from different 'security' or 'researching' institutes, government, whatever... that's why I asked for the content in the first place.

    normally these mails contain something like this:

    Die Weiterleitung dieser Beschwerde dient nur als Information für Sie.
    Wir erwarten bezüglich dieser Beschwerde keine Rückmeldung Ihrerseits.
    Wir bitten jedoch darum, der Meldung nachzugehen und evtl. Probleme zu beheben.

    in english:

    The forwarding of this complaint is for your information only.
    We do not expect any feedback from you regarding this complaint.
    However, we would ask you to follow up on the report and correct any problems.

    so maybe check if that is the case, and then you probably can simply ignore the mail and nothing is wrong.

    as you said yourself, you got that just now, therefore I'd say chances are high, that previous IP owner had a problem. maybe also check if the original text they attached from the CERT holds a timestamp of when they checked whatever.

    btw: I agree that asking if hetzner has a database leak, mitm attack or security problem at all here made it sound a bit aggressive in the first, assuming there were enough infos as the quoted above, which you could have read before ranting ;-)

    Thanked by 1Hetzner_OL

    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • If i recall from other thread- he got the server with a private transfer- so the IP is the old users IP, unlike when you get a new server and they assign an ip out of the ip pool they have available. Hence receiving stuff caused by prior user

    Thanked by 1Hetzner_OL

    Nothing profound to say, so I'm on LET.

  • This actually brings up a good question, whats a good way to scan for "botnets" on linux servers?

    I swear to drunk Im not god

  • yokowasisyokowasis Member
    edited September 30

    @Falzo said:
    btw: I agree that asking if hetzner has a database leak, mitm attack or security problem at all here made it sound a bit aggressive in the first, assuming there were enough infos as the quoted above, which you could have read before ranting ;-)

    Again, I am not ranting. It's a genuine question. I am sorry if anyone offended by that.

    However, we would ask you to follow up on the report and correct any problems.

    I am just trying to follow up the report and figuring out what the hell is going on so I can correct any problem and preventing it from happening again. Hence asking here.

  • @serv_ee said: whats a good way to scan for "botnets" on linux servers?

    top/htop/iotop - monitor the disk/cpu/network. If you're compromised then the processes will be rather obvious.

  • @serv_ee said:
    This actually brings up a good question, whats a good way to scan for "botnets" on linux servers?

    I've mentioned a few (rkhunter, chkrootkit and others).

    Plus I've mentioned that the systems are probably not compromised.

    Scanned our servers and checked with a few more tools, nothing suspicious.

    Thanked by 2serv_ee plumberg
  • serv_eeserv_ee Member
    edited September 30

    @PHDan said:

    @serv_ee said: whats a good way to scan for "botnets" on linux servers?

    top/htop/iotop - monitor the disk/cpu/network. If you're compromised then the processes will be rather obvious.

    Yea I was thinking more along the lines of "how to detect and get rid of the easy way" lol - Being an old windows user has its downsides.

    Thanks @martinhuwa - Ill surely keep in mind for future.

    I swear to drunk Im not god

  • @serv_ee said:

    @PHDan said:

    @serv_ee said: whats a good way to scan for "botnets" on linux servers?

    top/htop/iotop - monitor the disk/cpu/network. If you're compromised then the processes will be rather obvious.

    Yea I was thinking more along the lines of "how to detect and get rid of the easy way" lol - Being an old windows user has its downsides.

    Thanks @martinhuwa - Ill surely keep in mind for future.

    Get rid of = format/reinstall

    Thanked by 1PHDan
Sign In or Register to comment.