Results 1 to 25 of 38
Thread: Hetzner Got Hacked
-
06-06-2013, 12:26 PM #1Web Hosting Guru
- Join Date
- Mar 2008
- Location
- /usr/bin/kvm
- Posts
- 261
Hetzner Got Hacked
Dear Client
At the end of last week, Hetzner technicians discovered a "backdoor" in one
of our internal monitoring systems (Nagios).
An investigation was launched immediately and showed that the administration
interface for dedicated root servers (Robot) had also been affected. Current
findings would suggest that fragments of our client database had been copied
externally.
As a result, we currently have to consider the client data stored in our Robot
as compromised.
To our knowledge, the malicious program that we have discovered is as yet
unknown and has never appeared before.
The malicious code used in the "backdoor" exclusively infects the RAM. First
analysis suggests that the malicious code directly infiltrates running Apache
and sshd processes. Here, the infection neither modifies the binaries of the
service which has been compromised, nor does it restart the service which has
been affected.
The standard techniques used for analysis such as the examination of checksum
or tools such as "rkhunter" are therefore not able to track down the malicious
code.
We have commissioned an external security company with a detailed analysis of
the incident to support our in-house administrators. At this stage, analysis
of the incident has not yet been completed.
The access passwords for your Robot client account are stored in our database
as Hash (SHA256) with salt. As a precaution, we recommend that you change your
client passwords in the Robot.
With credit cards, only the last three digits of the card number, the card type
and the expiry date are saved in our systems. All other card data is saved
solely by our payment service provider and referenced via a pseudo card number.
Therefore, as far as we are aware, credit card data has not been compromised.
Hetzner technicians are permanently working on localising and preventing possible
security vulnerabilities as well as ensuring that our systems and infrastructure
are kept as safe as possible. Data security is a very high priority for us. To
expedite clarification further, we have reported this incident to the data
security authority concerned.
Furthermore, we are in contact with the Federal Criminal Police Office (BKA) in
regard to this incident.
Naturally, we shall inform you of new developments immediately.
We very much regret this incident and thank you for your understanding and
trust in us.
A special FAQs page has been set up at
http://wiki.hetzner.de/index.php/Security_Issue/en to assist you with further
enquiries.
Kind regards
Martin Hetzner
-
06-06-2013, 12:38 PM #2Cable Director
- Join Date
- Aug 2007
- Location
- Datacenter
- Posts
- 4,414
Let's hope they can find a solution soon. It's not Hetzner that's hacked, it's an issue with Nagios
» www.InstantDedicated.com - Online in no time
» Dedicated Servers in [EU] Netherlands + Belgium with DAILY support, also on weekends
» 3.2 Tbit/s Network AS49453 with only 100 Gbit/s uplink backbone
» 1G/10G/40G/100 Gbit ports available | 99,99% Network Uptime goal
-
06-06-2013, 12:54 PM #3Web Hosting Master
- Join Date
- Nov 2011
- Location
- Calgary, Alberta, Canada
- Posts
- 699
Thank god I didn't go with them. Considering they needed government issued identification to verify I am who I am and now that information could've been in the hands of some hacker...
Little Apps
Open Source Software
-
06-06-2013, 12:54 PM #4Aspiring Evangelist
- Join Date
- Mar 2009
- Posts
- 391
And now the entire hetzner network is down!
EDIT : Back up now, was down for a minute.
-
06-06-2013, 01:04 PM #5Web Hosting Master
- Join Date
- Jan 2011
- Location
- Varna, Bulgaria
- Posts
- 1,276
Again? When / what was the previous one?
-
06-06-2013, 01:04 PM #6Web Hosting Guru
- Join Date
- Mar 2008
- Location
- /usr/bin/kvm
- Posts
- 261
-
06-06-2013, 01:05 PM #7Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
The malicious code used in the "backdoor" exclusively infects the RAM. First
analysis suggests that the malicious code directly infiltrates running Apache
and sshd processes. Here, the infection neither modifies the binaries of the
service which has been compromised, nor does it restart the service which has
been affected.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
06-06-2013, 01:05 PM #8WHT Addict
- Join Date
- Aug 2011
- Location
- Denmark
- Posts
- 108
Honestly, I do not find the content of the above message alarming as such. Simply update your password and you should be fine.
However if you had them access any of your server(s) in recent times, I would check those servers as well just in case.
The malicious code used in the "backdoor" exclusively infects the RAM. First
analysis suggests that the malicious code directly infiltrates running Apache
and sshd processes. Here, the infection neither modifies the binaries of the
service which has been compromised, nor does it restart the service which has
been affected."Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein
-
06-06-2013, 01:08 PM #9Web Hosting Master
- Join Date
- Sep 2004
- Posts
- 669
Ouch. But they atleast don't try to cover it up and most releavant details was given before they get asked about. Some people should take this as example when things go wrong...
-
06-06-2013, 01:08 PM #10Aspiring Evangelist
- Join Date
- Mar 2009
- Posts
- 391
-
06-06-2013, 01:11 PM #11WHT Addict
- Join Date
- Aug 2011
- Location
- Denmark
- Posts
- 108
-
06-06-2013, 01:12 PM #12WHT Addict
- Join Date
- Aug 2011
- Location
- Denmark
- Posts
- 108
More details about the issue: http://wiki.hetzner.de/index.php/Security_Issue/en
"Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein
-
06-06-2013, 01:14 PM #13Aspiring Evangelist
- Join Date
- Mar 2009
- Posts
- 391
Looking for the link, thorough analysis of the compromise was posted by German IT specialist.
Tobias Huch wrote about the compromise/data breach :
http://www.golem.de/1110/86916.html
http://www.netzwelt.de/news/88855-in...r-hetzner.html
There's also a thread on WHT
http://www.webhostingtalk.com/showthread.php?t=1088324Last edited by softshop011; 06-06-2013 at 01:22 PM.
-
06-06-2013, 01:27 PM #14WHT Addict
- Join Date
- Aug 2011
- Location
- Denmark
- Posts
- 108
-
06-06-2013, 01:28 PM #15Disabled
- Join Date
- Sep 2012
- Posts
- 97
-
06-06-2013, 01:29 PM #16Quality Web Hosting Matters
- Join Date
- Mar 2006
- Location
- Servers
- Posts
- 1,590
Seems their monitoring is sending now some fake alarms of port 80 down ...
█ QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
█ Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
█ Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
█ INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard
-
06-06-2013, 01:29 PM #17Web Hosting Master
- Join Date
- Sep 2008
- Location
- Seattle, WA
- Posts
- 1,323
With credit cards, only the last three digits of the card number, the card type
and the expiry date are saved in our systems. All other card data is saved
solely by our payment service provider and referenced via a pseudo card number.
Therefore, as far as we are aware, credit card data has not been compromised.
edit. I could be mistaken in this, they didn't state clearly if this is just "informational" or this info is compromised.Last edited by StealthyHosting; 06-06-2013 at 01:34 PM.
█ Brian Kearney, Stealthy Hosting/Server Stadium Seattle, WA [AS23033] Skype: StealthyHosting
█ Custom Dedicated Servers
█ Low Cost Instant Dedicated Servers
█ Email: Sales@StealthyHosting.com
-
06-06-2013, 01:33 PM #18Web Hosting Guru
- Join Date
- Mar 2008
- Location
- /usr/bin/kvm
- Posts
- 261
-
06-06-2013, 01:34 PM #19Retired Moderator
- Join Date
- Nov 2006
- Location
- search.php?do=getnew
- Posts
- 1,241
Threads merged, here's being hopeful for no new ones springing up.
-
06-06-2013, 02:13 PM #20Web Hosting Master
- Join Date
- May 2003
- Location
- Scotland
- Posts
- 4,549
I don't see any unusual activity directed towards my Hetzner equipment at the moment, so hopefully they did not get too much.
Good to see they came straight out with it though and did not try to hide anything, kudos for that.
-
06-06-2013, 02:35 PM #21Aspiring Evangelist
- Join Date
- Jun 2012
- Posts
- 423
-
06-06-2013, 02:39 PM #22Email Expert
- Join Date
- Jan 2008
- Location
- Portugal
- Posts
- 1,021
-
06-06-2013, 03:40 PM #23Disabled
- Join Date
- Dec 2010
- Location
- 127.0.0.1
- Posts
- 5,732
Well at least they aren't hiding it like when Godaddy's DNS was being ddosed and they denied it blamed it on hardware failure.
Anyway I hope their customers server's haven't been touched.
-
06-06-2013, 04:27 PM #24Newbie
- Join Date
- Feb 2013
- Posts
- 8
I found this part most interesting:
" First analysis suggests that the malicious code directly infiltrates running Apache and sshd processes"
There was this issue with hacked linux root accounts this year:
http://www.webhostingtalk.com/showthread.php?p=8702404
-
06-07-2013, 01:34 AM #25Web Hosting Evangelist
- Join Date
- May 2013
- Location
- Florida
- Posts
- 460
I agree. I like that they came right out and admitted everything without trying to make excuses or cover anything up
█|| Webhostpython - Introducing Venom Power! Shared, Reseller, and VPS plans
|█| Pure SSD | Litespeed | LS-Cache | cPanel | SSLs | DDOS Protection | Blazing Fast
█|| A 100% independent and debt free company with 24/7 - 365 in-house support
Similar Threads
-
Staminus /Hetzner /Webtropia Reviews (Bad) Except hetzner
By gmakhs in forum Dedicated ServerReplies: 13Last Post: 12-03-2012, 02:18 PM -
Hacked? We Guarantee Your Website Will Not Be Hacked or Defaced!
By UNIXy in forum Hosting & Network SecurityReplies: 1Last Post: 05-28-2012, 03:09 PM -
hetzner review , hetzner company or hetzner swindler
By sumit_headway in forum Dedicated ServerReplies: 65Last Post: 03-03-2012, 01:11 AM -
Hetzner robot apparently hacked
By wartungsfenster in forum Providers and Network Outages and UpdatesReplies: 1Last Post: 10-06-2011, 12:53 PM -
Can my blog be hacked on shared hosting if my neighbour is hacked?
By zobe in forum Hosting Security and TechnologyReplies: 17Last Post: 03-10-2011, 04:09 AM