Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How exactly a hetzner dedicated server is compromised ? - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How exactly a hetzner dedicated server is compromised ?

2

Comments

  • raindog308raindog308 Administrator, Veteran

    @LightBlade said: machines under your constituency

    You were elected to run this server?

    Thanked by 1Aidan
  • @PHDan said: For the sake of Katie's sanity I hope Hetzner has deemed forums like this place to be lost causes and focus on the non shitty clients.

    >

    So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now? Gotcha.

  • yokowasisyokowasis Member
    edited September 2020

    @PHDan said:

    @yokowasis said: Usually when you ignore abuse email, bad things happened. Hetzner shouldn't have sent it from abuse email. I am not used to ignoring abuse email. When I got abuse email, something must be wrong is the first sentence that comes to my mind.

    Then you haven't used Hetzner all that much.

    Edit: I get it, it's embarrassing when you scream "FIRE" in a room where someone lit a candle, and you're trying to save face but really this is a shitload of nothing.

    Yeah, I said it. I have been using hetzner for 1 week. Using is not the righ term, because I haven't used the server yet.

    And I am not trying to save face or anything. I just looking for some info, get the info, mission accomplished.

    If you want to use fire analogy, it's the fireman who scream fire. I am not aware of any fire, asking the townfolks, they also hear the fire warning, and they explain, it's jsut the thing that fireman does. Screaming false positive fire alert.

  • PHDanPHDan Member
    edited September 2020

    @serv_ee said: So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now?

    No, opening a topic that's a passive aggressive shot at Hetzner ("does hetzner database compromised ?") is.

    Edit: https://www.lowendtalk.com/discussion/comment/3136340/#Comment_3136340

    [@yokowasis said] The rules doesn't aplly to Some providers, OVH and Hetzner are two of those providers.

  • @PHDan said:

    @serv_ee said: So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now?

    No, opening a topic that's a passive aggressive shot at Hetzner ("does hetzner database compromised ?") is.

    It's a genuine question. You either login without password, or with password. Hence the next question.

    I mean is it possible to login to a server without a password at all ?

  • @yokowasis said: It's a genuine question.

    Bullshit. You have a chip with Hetzner, your comments show it.

  • @PHDan said:

    @serv_ee said: So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now?

    No, opening a topic that's a passive aggressive shot at Hetzner ("does hetzner database compromised ?") is.

    Edit: https://www.lowendtalk.com/discussion/comment/3136340/#Comment_3136340

    The rules doesn't aplly to Some providers, OVH and Hetzner are two of those providers.

    Yea I agree the wording could have been a little better but not everyones english is perfect to chose form a ton of words.

    To be fair when I got the email today I thought of making a topic about it as well asking but then I remembered my .allow .deny rules to begin with. Not everyone is always up to date with abuse emails and of course they can scare a person. But "demanding" stuff is already a different subject.

    And as for your edit, I havent been here as long as most but Ive yet to see Hetzner doing any promos at all.

  • @serv_ee said: And as for your edit,

    My apologies, I was having trouble with the edits and the links. The gist is that the OP has a bug about Hetzner already.

  • @PHDan said:

    @yokowasis said: It's a genuine question.

    Bullshit. You have a chip with Hetzner, your comments show it.

    WTF is a chip ?

    Yeah, you do you mate. You can call me bullshit, I also can call you bullshit. I have nothing against Hetzner, this thread opened is solely with the assumption that my server "IS" hacked, otherwise I wont be reinstalling and turning of my server.

    Asking for the advice where is the possible entry point so it wont happened again in the future.

    But sure, you know better. Whatever mate. cheers. Have a good day.

  • Ah yes, when called out make sure you flip the table...

  • @PHDan said:

    @serv_ee said: So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now?

    No, opening a topic that's a passive aggressive shot at Hetzner ("does hetzner database compromised ?") is.

    Edit: https://www.lowendtalk.com/discussion/comment/3136340/#Comment_3136340

    [@yokowasis said] The rules doesn't aplly to Some providers, OVH and Hetzner are two of those providers.

    This is out of context, it's based on my experience and what I remember. I remember vaguely about Hetzner, (or is it Online.net) but OVH / Kimsufi is definitely has been allowed to break rules in the past.

    You want to accuse me I have something against OVH too ? fine by me.

  • as others pointed out hetzner forwards such mails they get from different 'security' or 'researching' institutes, government, whatever... that's why I asked for the content in the first place.

    normally these mails contain something like this:

    Die Weiterleitung dieser Beschwerde dient nur als Information für Sie.
    Wir erwarten bezüglich dieser Beschwerde keine Rückmeldung Ihrerseits.
    Wir bitten jedoch darum, der Meldung nachzugehen und evtl. Probleme zu beheben.

    in english:

    The forwarding of this complaint is for your information only.
    We do not expect any feedback from you regarding this complaint.
    However, we would ask you to follow up on the report and correct any problems.

    so maybe check if that is the case, and then you probably can simply ignore the mail and nothing is wrong.

    as you said yourself, you got that just now, therefore I'd say chances are high, that previous IP owner had a problem. maybe also check if the original text they attached from the CERT holds a timestamp of when they checked whatever.

    btw: I agree that asking if hetzner has a database leak, mitm attack or security problem at all here made it sound a bit aggressive in the first, assuming there were enough infos as the quoted above, which you could have read before ranting ;-)

    Thanked by 1Hetzner_OL
  • If i recall from other thread- he got the server with a private transfer- so the IP is the old users IP, unlike when you get a new server and they assign an ip out of the ip pool they have available. Hence receiving stuff caused by prior user

    Thanked by 1Hetzner_OL
  • This actually brings up a good question, whats a good way to scan for "botnets" on linux servers?

  • yokowasisyokowasis Member
    edited September 2020

    @Falzo said:
    btw: I agree that asking if hetzner has a database leak, mitm attack or security problem at all here made it sound a bit aggressive in the first, assuming there were enough infos as the quoted above, which you could have read before ranting ;-)

    Again, I am not ranting. It's a genuine question. I am sorry if anyone offended by that.

    However, we would ask you to follow up on the report and correct any problems.

    I am just trying to follow up the report and figuring out what the hell is going on so I can correct any problem and preventing it from happening again. Hence asking here.

  • @serv_ee said: whats a good way to scan for "botnets" on linux servers?

    top/htop/iotop - monitor the disk/cpu/network. If you're compromised then the processes will be rather obvious.

  • @serv_ee said:
    This actually brings up a good question, whats a good way to scan for "botnets" on linux servers?

    I've mentioned a few (rkhunter, chkrootkit and others).

    Plus I've mentioned that the systems are probably not compromised.

    Scanned our servers and checked with a few more tools, nothing suspicious.

    Thanked by 2serv_ee plumberg
  • serv_eeserv_ee Member
    edited September 2020

    @PHDan said:

    @serv_ee said: whats a good way to scan for "botnets" on linux servers?

    top/htop/iotop - monitor the disk/cpu/network. If you're compromised then the processes will be rather obvious.

    Yea I was thinking more along the lines of "how to detect and get rid of the easy way" lol - Being an old windows user has its downsides.

    Thanks @martinhuwa - Ill surely keep in mind for future.

  • @serv_ee said:

    @PHDan said:

    @serv_ee said: whats a good way to scan for "botnets" on linux servers?

    top/htop/iotop - monitor the disk/cpu/network. If you're compromised then the processes will be rather obvious.

    Yea I was thinking more along the lines of "how to detect and get rid of the easy way" lol - Being an old windows user has its downsides.

    Thanks @martinhuwa - Ill surely keep in mind for future.

    Get rid of = format/reinstall

    Thanked by 1PHDan
  • Hello from INCIBE-CERT team

    The email means exactly what it says: a domain which appears to be hosted using a Fast-Flux network (its pattern looks similar to one) is pointing to your IP address. Obviously this is no hard evidence of compromise, as anyone can point their domain to an IP they don't own (not to mention we might have erred on the detection, too!).

    However, when a domain resolves to an IP address, it usually means that it does use it for something, even if the owner of the server is unaware of that. The purpose of the notification is precisely to make him aware that someone is using their machine to serve that domain (the domain(s) involved is provided at the very bottom of the email).

    We try very hard not to present that as facts (may be members of a botnet, We can only infer…), but if it was indeed compromised, it would be quite bad. In this case, since the IP address was not in use, it seems clear that it wasn't, and @martinhuwa has probably hit the nail in that their owners likley polluted the domain resolution on purpose to annoy/distract security researchers.

    I can only apologise for the confusion/distress this caused you all.

    Best regards

    PS: Regarding the point raised by @raindog308, in the context of abuse reporting the term 'constituency' is used to refer to the machines/users served by an abuse team. See https://tools.ietf.org/html/rfc2350#section-3.3.2

    For example, Spanish companies and citizens are under the constituency of INCIBE-CERT, so you could notify us (and are welcome to) if you found a phishing website hosted on a Spanish site, or received attacks from Spanish IP address part of a botnet.

    Thanked by 3TimboJones pike SteveMC
  • Hi @INCIBE-CERT,

    I received this email yesterday too. And... I'm a bit angry about you.

    Sorry but, your email was not only about a domain which appears to be hosted using a Fast-Flux network.

    Some parts of your mail:

    However, finding its IP address belonging to a fast flux domain is a strong indicator that a given host is compromised (or has been in the past, sometimes the evildoer fails to promptly remove the ip from the fast flux domain).

    We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.

    According to your email, you seemed pretty sure that my machine was compromised.

    Anyone can refer one of my IP in their zonefile, anyone...

    It's stressful to receive this kind of email from the abuse team of the company that hosts your server (risk of server shutdown by Hetzner? What about my reputation at Hetzner with an "abuse" ticket associated to my account?)

    I wasted my time making sure the machine was not compromised (a virtual machine that hosts pfSense on which only https is open).

    I think you need to investigate further before sending this kind of email (and annoying people).

    Thanked by 1hanoi
  • Now this is straight out PMS-ing.

    @deank

  • deankdeank Member, Troll

    A major difference between PMSing and just being mad/angry is loss of logic.

    A guy in PMS loses most of logic and just babbles about some stuff she thinks she is mad about but doesn't really make sense.

    The guy you are referring has some tint of logic, so I'd say he's just pissed.

  • Actually he just cut half of the email out, I got the same one, where it says if you take any action is up to you and you dont need to do anything. So yeah, cherry picking at its finest.

    Thanked by 1NanoG6
  • deankdeank Member, Troll

    The girl (OP) in Hypermark scam beaware! thread is definitely PMSing.

    No logic whatsoever.

  • serv_eeserv_ee Member
    edited October 2020

    Not gonna lie and say that Im not

  • darthmaul0181darthmaul0181 Member
    edited October 2020

    @deank said:
    The guy you are referring has some tint of logic, so I'd say he's just pissed.

    Thanks ;)

    @serv_ee
    Actually he just cut half of the email out, I got the same one, where it says if you take any action is up to you and you dont need to do anything. So yeah, cherry picking at its finest.

    The "does not require any further action on your part" part of the e-mail is from Hetzner.

    The part of incebe-cert is more arlaming.

    When you receive an email from the abuse team saying there is something abnormal about one of your IP...if you are a bit conscientious you take the time to ensure everything is ok instead of throwing the mail in the trash and saying "ehhh I don't care!".

    And now, the guy of incibe-cert comes with a more relax attitude and uses words like "appears" "no evidence" "maybe erred in our detection tool". In the meantime, the have annoyed a lot of people (abuse team and clients) for...nothing.

    Like @deank said, I'm just pissed. Just wanted to say it to a representative of cibe-cert. Nothing more. But I you want to consider pissed people are making drama or PMSing...it's your problem ;)

  • serv_eeserv_ee Member
    edited October 2020

    This is an information email only and does not require any further action on your part.

    It is your choice whether or not to investigate the complaint.

    which may be members of a botnet.

    See, we can all cherry pick sentences out of a email. You actually are PMSing more than my wife right now. If they didnt send you that email and you actually would have had a botnet youd be crying all over the place why your server got disconnected.

    You knowing how to bold some parts of the email doesnt actually mean the rest of us cant read the rest of the email that isnt bolded. Fucking hell.

    Clearly if it was something serious your provider wont tell you "uh yeah you dont need to do anything"

    Or lets say you got the email directly..

    You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it.

    Look at this...god damn, who would have known to contact them...

    Thanked by 1TimboJones
Sign In or Register to comment.