New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How exactly a hetzner dedicated server is compromised ?
I have a hetzner server, reinstall it fresh. Because, the term on my current provider is not finished yet, I don't use immediately. About a week later, I got email from hetzner.
I know I can just reinstall it again, it's just I am curious. How is a fresh installed dedicated server got compromised ?
Does the password sent by email in plain text is intercepted by middleman ? does hetzner database compromised ?
I mean is it possible to login to a server without a password at all ? If it's possible, I want to know how ?
As of right now, I just reinstalled the server and turned it off.
Comments
You mean a fast-flux email? Just got one as well
Yes, the fast-flux one. Glad to hear the other suffer the same fate as I did. So, I am not alone ? does it mean Hetzner screws up ?
There are bots scanning for easy passwords via SSH Bruteforce, maybe thats how it got compromised?
Well the domain that was in the end of the email doesn't match mine what so ever so I'm just guessing it was someone who used the server before me. (Auction server)
Haven't had the chance to look at the logs yet. My server is also set to host.allow sshd just my IP so I doubt someone got in.
The password generated by hetzner is anything but easy.
But why now though? I have had the server for about 1 week.
No idea to be honest. I got that one for months on end now.
Maybe @Hetzner_OL has any idea? Also the email states that it's up to you if you take any action at all so I doubt it's anything too serious.
what exactly did it say, this email?
INCIBE-CERT has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet.
Something something
We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.
I just noticed that the IP in the email is the secondary IP for the server not the main one to begin with. That IP isn't even in use.
I’ve had this happen to me before too, server was idling and fully hardened
I also get the same info, is this valid, I don't know, but my server has no suspicious activity
Maybe its an automated email to everyone lol?
Why hetzner sending broadcast email from an abuse email ? with subject abuse id.
@Hetzner_OL we demand an explanation.
"We demand"? I aint demanding anything.
We as in, I, me and myself.
Don't get me wrong. It would be nice to know the root cause of this but "demand" isn't exactly the word you should use. And maybe a faster response youd get is from their support.
Indeed, "demand" isn't the word you should use.
Sue, instead.
Let me know if you don’t want this server.
Hetzner is forwarding an email they get from INCIBE-CERT - CSIRT of the Spanish National Cybersecurity Institute as they are legally required to. If you want to pitch a bitch then yell at them.
It's the same situation when you run Proxmox with open RPCBIND, ignore them and just go about your business.
If you are using regular password based authentication and left the Default SSH port (22) open, without any form of bruteforce protection, it wouldn't take too long for anyone to break in
How exactly is a German company legally obligated to forward Spanish institute letters?
Usually when you ignore abuse email, bad things happened. Hetzner shouldn't have sent it from abuse email. I am not used to ignoring abuse email. When I got abuse email, something must be wrong is the first sentence that comes to my mind.
Then don't ignore it - tell them you think it's a mistake and explain why
Then you haven't used Hetzner all that much.
Edit: I get it, it's embarrassing when you scream "FIRE" in a room where someone lit a candle, and you're trying to save face but really this is a shitload of nothing.
See https://laracasts.com/discuss/channels/forge/abuse-reported-botnet-from-a-laravel-forge-created-server and my answer. I doubt that your server is compromised.
See https://blogs.akamai.com/2017/10/digging-deeper-an-in-depth-analysis-of-a-fast-flux-network-part-three.html
"Analysis of the U.S. IP addresses shows that many of those IP addresses belong to Fortune 100 companies, as well as military organizations, probably being used as fake entries on the nameserver associated with the given domains.
The Enterprise Threat Protector security research team suspects that these IP addresses are not compromised machines and that the presence of these IP addresses on the nameserver can be explained as a technique being used by C&C network owners designed to inherit the reputation of the associated organizations. Inspection of such domains by law enforcement or security vendors can result in misleading conclusions on the nature of the domains and the associated IP addresses."
I'm pretty sure that this is the case and this CERT thought all the IP addresses are compromised and contacted everyone.
https://www.lowendtalk.com/discussion/comment/2877426/#Comment_2877426
Old and different story. Still, I think in this case the Fast Flux network used many fake IP addresses to irritate researchers as this is often the case.
chkrootkit and rkhunter should find nothing malicious.
So your take is that Hetzner is going to terminate the services of every dedicated server that shows up on this scan?
Again, this is nothing. But as a provider they have to notify everyone that potentially may be affected to catch the 1 time out of 1000. If they didn't then the 1 case would do shit like this thread but with "WhY HetZNEr no TELL Me?!?!"
For the sake of Katie's sanity I hope Hetzner has deemed forums like this place to be lost causes and focus on the non shitty clients.
Hetzner does not simply terminate anything. They just forward the emails. So as already mentioned: the email can be probably ignored.
The fear of consequences is understandable but there happens nothing if you ignore the email or answer: "I think this is not correct / a false positive"