Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How exactly a hetzner dedicated server is compromised ?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How exactly a hetzner dedicated server is compromised ?

I have a hetzner server, reinstall it fresh. Because, the term on my current provider is not finished yet, I don't use immediately. About a week later, I got email from hetzner.

I know I can just reinstall it again, it's just I am curious. How is a fresh installed dedicated server got compromised ?

Does the password sent by email in plain text is intercepted by middleman ? does hetzner database compromised ?

I mean is it possible to login to a server without a password at all ? If it's possible, I want to know how ?

As of right now, I just reinstalled the server and turned it off.

«13

Comments

  • serv_eeserv_ee Member
    edited September 2020

    You mean a fast-flux email? Just got one as well

  • @serv_ee said:
    You mean a fast-flux email? Just got one as well

    Yes, the fast-flux one. Glad to hear the other suffer the same fate as I did. So, I am not alone ? does it mean Hetzner screws up ?

  • ChristianDSHChristianDSH Member, Host Rep

    There are bots scanning for easy passwords via SSH Bruteforce, maybe thats how it got compromised?

  • @yokowasis said:

    @serv_ee said:
    You mean a fast-flux email? Just got one as well

    Yes, the fast-flux one. Glad to hear the other suffer the same fate as I did. So, I am not alone ? does it mean Hetzner screws up ?

    Well the domain that was in the end of the email doesn't match mine what so ever so I'm just guessing it was someone who used the server before me. (Auction server)

    Haven't had the chance to look at the logs yet. My server is also set to host.allow sshd just my IP so I doubt someone got in.

  • @ChristianDSH said:
    There are bots scanning for easy passwords via SSH Bruteforce, maybe thats how it got compromised?

    The password generated by hetzner is anything but easy.

    @serv_ee said:

    @yokowasis said:

    @serv_ee said:
    You mean a fast-flux email? Just got one as well

    Yes, the fast-flux one. Glad to hear the other suffer the same fate as I did. So, I am not alone ? does it mean Hetzner screws up ?

    Well the domain that was in the end of the email doesn't match mine what so ever so I'm just guessing it was someone who used the server before me. (Auction server)

    Haven't had the chance to look at the logs yet. My server is also set to host.allow sshd just my IP so I doubt someone got in.

    But why now though? I have had the server for about 1 week.

  • No idea to be honest. I got that one for months on end now.

    Maybe @Hetzner_OL has any idea? Also the email states that it's up to you if you take any action at all so I doubt it's anything too serious.

  • @yokowasis said: About a week later, I got email from hetzner.

    what exactly did it say, this email?

  • @Falzo said:

    @yokowasis said: About a week later, I got email from hetzner.

    what exactly did it say, this email?

    INCIBE-CERT has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet.

    Something something

    We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.

  • I just noticed that the IP in the email is the secondary IP for the server not the main one to begin with. That IP isn't even in use.

  • I’ve had this happen to me before too, server was idling and fully hardened

  • I also get the same info, is this valid, I don't know, but my server has no suspicious activity

    Dear Team,

    INCIBE-CERT has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet.

    As you are probably aware, Fast Flux botnets are built upon a network of compromised machines in order to provide better reliability to their evil deeds.
    We can only infer that the detected domains are indeed fast flux domains from the DNS resolution. However, finding its IP address belonging to a fast flux domain is a strong indicator that a given host is compromised (or has been in the past, sometimes the evildoer fails to promptly remove the ip from the fast flux domain).

    We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.

    At the bottom of this email you can find the information, concerning the hosts under your constituency that have been gathered since our last notification, as well as attached for your convenience.

    The file is formatted as follows:

    [Timestamp] [IP] [Domain] [Country] [AS]

    Timestamp format is dd/mm/yyyy hh:mm:ss UTC

    As this information is collected from public services, you can share it with other involved entities (like ISPs, CERTs or other companies).

    We hope this information regarding the security of your customers/clients results useful for you. In case of further questions, or if you need any help on this issue, please feel free to contact us at .

    You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it.

    Thank you.
    Best Regards,

    1- https://en.wikipedia.org/wiki/Fast_flux

    --
    INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute
    https://www.incibe-cert.es/

    Claves PGP: https://www.incibe-cert.es/sobre-incibe-cert/claves-publicas-pgp

    INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

  • Maybe its an automated email to everyone lol?

  • @serv_ee said:
    Maybe its an automated email to everyone lol?

    Why hetzner sending broadcast email from an abuse email ? with subject abuse id.

    @Hetzner_OL we demand an explanation.

  • "We demand"? I aint demanding anything.

  • @serv_ee said:
    "We demand"? I aint demanding anything.

    We as in, I, me and myself.

  • Don't get me wrong. It would be nice to know the root cause of this but "demand" isn't exactly the word you should use. And maybe a faster response youd get is from their support.

  • deankdeank Member, Troll

    Indeed, "demand" isn't the word you should use.

    Sue, instead.

  • Let me know if you don’t want this server. :)

  • Hetzner is forwarding an email they get from INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute as they are legally required to. If you want to pitch a bitch then yell at them.

    It's the same situation when you run Proxmox with open RPCBIND, ignore them and just go about your business.

    Thanked by 2Falzo Hetzner_OL
  • @yokowasis said: Does the password sent by email in plain text is intercepted by middleman ? does hetzner database compromised ?

    If you are using regular password based authentication and left the Default SSH port (22) open, without any form of bruteforce protection, it wouldn't take too long for anyone to break in :(

    Thanked by 1Hetzner_OL
  • @PHDan said:
    Hetzner is forwarding an email they get from INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute as they are legally required to. If you want to pitch a bitch then yell at them.

    It's the same situation when you run Proxmox with open RPCBIND, ignore them and just go about your business.

    How exactly is a German company legally obligated to forward Spanish institute letters?

  • @PHDan said:
    Hetzner is forwarding an email they get from INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute as they are legally required to. If you want to pitch a bitch then yell at them.

    It's the same situation when you run Proxmox with open RPCBIND, ignore them and just go about your business.

    Usually when you ignore abuse email, bad things happened. Hetzner shouldn't have sent it from abuse email. I am not used to ignoring abuse email. When I got abuse email, something must be wrong is the first sentence that comes to my mind.

  • jackbjackb Member, Host Rep

    @yokowasis said:

    @PHDan said:
    Hetzner is forwarding an email they get from INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute as they are legally required to. If you want to pitch a bitch then yell at them.

    It's the same situation when you run Proxmox with open RPCBIND, ignore them and just go about your business.

    Usually when you ignore abuse email, bad things happened. Hetzner shouldn't have sent it from abuse email. I am not used to ignoring abuse email. When I got abuse email, something must be wrong is the first sentence that comes to my mind.

    Then don't ignore it - tell them you think it's a mistake and explain why

  • PHDanPHDan Member
    edited September 2020

    @yokowasis said: Usually when you ignore abuse email, bad things happened. Hetzner shouldn't have sent it from abuse email. I am not used to ignoring abuse email. When I got abuse email, something must be wrong is the first sentence that comes to my mind.

    Then you haven't used Hetzner all that much.

    Edit: I get it, it's embarrassing when you scream "FIRE" in a room where someone lit a candle, and you're trying to save face but really this is a shitload of nothing.

    Thanked by 2TimboJones NanoG6
  • See https://laracasts.com/discuss/channels/forge/abuse-reported-botnet-from-a-laravel-forge-created-server and my answer. I doubt that your server is compromised.

    See https://blogs.akamai.com/2017/10/digging-deeper-an-in-depth-analysis-of-a-fast-flux-network-part-three.html

    "Analysis of the U.S. IP addresses shows that many of those IP addresses belong to Fortune 100 companies, as well as military organizations, probably being used as fake entries on the nameserver associated with the given domains.

    The Enterprise Threat Protector security research team suspects that these IP addresses are not compromised machines and that the presence of these IP addresses on the nameserver can be explained as a technique being used by C&C network owners designed to inherit the reputation of the associated organizations. Inspection of such domains by law enforcement or security vendors can result in misleading conclusions on the nature of the domains and the associated IP addresses."

    I'm pretty sure that this is the case and this CERT thought all the IP addresses are compromised and contacted everyone.

  • martinhuwamartinhuwa Member
    edited September 2020

    Old and different story. Still, I think in this case the Fast Flux network used many fake IP addresses to irritate researchers as this is often the case.

    chkrootkit and rkhunter should find nothing malicious.

  • So your take is that Hetzner is going to terminate the services of every dedicated server that shows up on this scan?

    Again, this is nothing. But as a provider they have to notify everyone that potentially may be affected to catch the 1 time out of 1000. If they didn't then the 1 case would do shit like this thread but with "WhY HetZNEr no TELL Me?!?!"

    For the sake of Katie's sanity I hope Hetzner has deemed forums like this place to be lost causes and focus on the non shitty clients.

  • Hetzner does not simply terminate anything. They just forward the emails. So as already mentioned: the email can be probably ignored.

    Thanked by 1Hetzner_OL
  • The fear of consequences is understandable but there happens nothing if you ignore the email or answer: "I think this is not correct / a false positive"

    Thanked by 1Hetzner_OL
Sign In or Register to comment.