New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
You were elected to run this server?
>
So asking a question here without wanting to bother the abuse team right away is a sign of a shitty client now? Gotcha.
Yeah, I said it. I have been using hetzner for 1 week. Using is not the righ term, because I haven't used the server yet.
And I am not trying to save face or anything. I just looking for some info, get the info, mission accomplished.
If you want to use fire analogy, it's the fireman who scream fire. I am not aware of any fire, asking the townfolks, they also hear the fire warning, and they explain, it's jsut the thing that fireman does. Screaming false positive fire alert.
No, opening a topic that's a passive aggressive shot at Hetzner ("does hetzner database compromised ?") is.
Edit: https://www.lowendtalk.com/discussion/comment/3136340/#Comment_3136340
It's a genuine question. You either login without password, or with password. Hence the next question.
Bullshit. You have a chip with Hetzner, your comments show it.
Yea I agree the wording could have been a little better but not everyones english is perfect to chose form a ton of words.
To be fair when I got the email today I thought of making a topic about it as well asking but then I remembered my .allow .deny rules to begin with. Not everyone is always up to date with abuse emails and of course they can scare a person. But "demanding" stuff is already a different subject.
And as for your edit, I havent been here as long as most but Ive yet to see Hetzner doing any promos at all.
My apologies, I was having trouble with the edits and the links. The gist is that the OP has a bug about Hetzner already.
WTF is a chip ?
Yeah, you do you mate. You can call me bullshit, I also can call you bullshit. I have nothing against Hetzner, this thread opened is solely with the assumption that my server "IS" hacked, otherwise I wont be reinstalling and turning of my server.
Asking for the advice where is the possible entry point so it wont happened again in the future.
But sure, you know better. Whatever mate. cheers. Have a good day.
Ah yes, when called out make sure you flip the table...
This is out of context, it's based on my experience and what I remember. I remember vaguely about Hetzner, (or is it Online.net) but OVH / Kimsufi is definitely has been allowed to break rules in the past.
You want to accuse me I have something against OVH too ? fine by me.
as others pointed out hetzner forwards such mails they get from different 'security' or 'researching' institutes, government, whatever... that's why I asked for the content in the first place.
normally these mails contain something like this:
in english:
so maybe check if that is the case, and then you probably can simply ignore the mail and nothing is wrong.
as you said yourself, you got that just now, therefore I'd say chances are high, that previous IP owner had a problem. maybe also check if the original text they attached from the CERT holds a timestamp of when they checked whatever.
btw: I agree that asking if hetzner has a database leak, mitm attack or security problem at all here made it sound a bit aggressive in the first, assuming there were enough infos as the quoted above, which you could have read before ranting ;-)
If i recall from other thread- he got the server with a private transfer- so the IP is the old users IP, unlike when you get a new server and they assign an ip out of the ip pool they have available. Hence receiving stuff caused by prior user
This actually brings up a good question, whats a good way to scan for "botnets" on linux servers?
Again, I am not ranting. It's a genuine question. I am sorry if anyone offended by that.
I am just trying to follow up the report and figuring out what the hell is going on so I can correct any problem and preventing it from happening again. Hence asking here.
top/htop/iotop - monitor the disk/cpu/network. If you're compromised then the processes will be rather obvious.
I've mentioned a few (rkhunter, chkrootkit and others).
Plus I've mentioned that the systems are probably not compromised.
Scanned our servers and checked with a few more tools, nothing suspicious.
Yea I was thinking more along the lines of "how to detect and get rid of the easy way" lol - Being an old windows user has its downsides.
Thanks @martinhuwa - Ill surely keep in mind for future.
Get rid of = format/reinstall
Hello from INCIBE-CERT team
The email means exactly what it says: a domain which appears to be hosted using a Fast-Flux network (its pattern looks similar to one) is pointing to your IP address. Obviously this is no hard evidence of compromise, as anyone can point their domain to an IP they don't own (not to mention we might have erred on the detection, too!).
However, when a domain resolves to an IP address, it usually means that it does use it for something, even if the owner of the server is unaware of that. The purpose of the notification is precisely to make him aware that someone is using their machine to serve that domain (the domain(s) involved is provided at the very bottom of the email).
We try very hard not to present that as facts (may be members of a botnet, We can only infer…), but if it was indeed compromised, it would be quite bad. In this case, since the IP address was not in use, it seems clear that it wasn't, and @martinhuwa has probably hit the nail in that their owners likley polluted the domain resolution on purpose to annoy/distract security researchers.
I can only apologise for the confusion/distress this caused you all.
Best regards
PS: Regarding the point raised by @raindog308, in the context of abuse reporting the term 'constituency' is used to refer to the machines/users served by an abuse team. See https://tools.ietf.org/html/rfc2350#section-3.3.2
For example, Spanish companies and citizens are under the constituency of INCIBE-CERT, so you could notify us (and are welcome to) if you found a phishing website hosted on a Spanish site, or received attacks from Spanish IP address part of a botnet.
Hi @INCIBE-CERT,
I received this email yesterday too. And... I'm a bit angry about you.
Sorry but, your email was not only about a domain which appears to be hosted using a Fast-Flux network.
Some parts of your mail:
According to your email, you seemed pretty sure that my machine was compromised.
Anyone can refer one of my IP in their zonefile, anyone...
It's stressful to receive this kind of email from the abuse team of the company that hosts your server (risk of server shutdown by Hetzner? What about my reputation at Hetzner with an "abuse" ticket associated to my account?)
I wasted my time making sure the machine was not compromised (a virtual machine that hosts pfSense on which only https is open).
I think you need to investigate further before sending this kind of email (and annoying people).
Now this is straight out PMS-ing.
@deank
@serv_ee still hunting for drama since may I see https://www.lowendtalk.com/discussion/164851/low-end-hosting-dramas#latest
A major difference between PMSing and just being mad/angry is loss of logic.
A guy in PMS loses most of logic and just babbles about some stuff she thinks she is mad about but doesn't really make sense.
The guy you are referring has some tint of logic, so I'd say he's just pissed.
Actually he just cut half of the email out, I got the same one, where it says if you take any action is up to you and you dont need to do anything. So yeah, cherry picking at its finest.
The girl (OP) in Hypermark scam beaware! thread is definitely PMSing.
No logic whatsoever.
Not gonna lie and say that Im not
Thanks
The "does not require any further action on your part" part of the e-mail is from Hetzner.
The part of incebe-cert is more arlaming.
When you receive an email from the abuse team saying there is something abnormal about one of your IP...if you are a bit conscientious you take the time to ensure everything is ok instead of throwing the mail in the trash and saying "ehhh I don't care!".
And now, the guy of incibe-cert comes with a more relax attitude and uses words like "appears" "no evidence" "maybe erred in our detection tool". In the meantime, the have annoyed a lot of people (abuse team and clients) for...nothing.
Like @deank said, I'm just pissed. Just wanted to say it to a representative of cibe-cert. Nothing more. But I you want to consider pissed people are making drama or PMSing...it's your problem
This is an information email only and does not require any further action on your part.
It is your choice whether or not to investigate the complaint.
which may be members of a botnet.
See, we can all cherry pick sentences out of a email. You actually are PMSing more than my wife right now. If they didnt send you that email and you actually would have had a botnet youd be crying all over the place why your server got disconnected.
You knowing how to bold some parts of the email doesnt actually mean the rest of us cant read the rest of the email that isnt bolded. Fucking hell.
Clearly if it was something serious your provider wont tell you "uh yeah you dont need to do anything"
Or lets say you got the email directly..
You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it.
Look at this...god damn, who would have known to contact them...