hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Hetzner Got Hacked
Reply

Forum Jump

Hetzner Got Hacked

Reply Post New Thread In Dedicated Server Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 06-06-2013, 12:26 PM
serverian serverian is offline
Corporate Member
 
Join Date: Mar 2008
Location: /usr/bin/kvm
Posts: 211
*

Hetzner Got Hacked


Dear Client

At the end of last week, Hetzner technicians discovered a "backdoor" in one
of our internal monitoring systems (Nagios).

An investigation was launched immediately and showed that the administration
interface for dedicated root servers (Robot) had also been affected. Current
findings would suggest that fragments of our client database had been copied
externally.

As a result, we currently have to consider the client data stored in our Robot
as compromised.

To our knowledge, the malicious program that we have discovered is as yet
unknown and has never appeared before.

The malicious code used in the "backdoor" exclusively infects the RAM. First
analysis suggests that the malicious code directly infiltrates running Apache
and sshd processes. Here, the infection neither modifies the binaries of the
service which has been compromised, nor does it restart the service which has
been affected.

The standard techniques used for analysis such as the examination of checksum
or tools such as "rkhunter" are therefore not able to track down the malicious
code.

We have commissioned an external security company with a detailed analysis of
the incident to support our in-house administrators. At this stage, analysis
of the incident has not yet been completed.

The access passwords for your Robot client account are stored in our database
as Hash (SHA256) with salt. As a precaution, we recommend that you change your
client passwords in the Robot.

With credit cards, only the last three digits of the card number, the card type
and the expiry date are saved in our systems. All other card data is saved
solely by our payment service provider and referenced via a pseudo card number.
Therefore, as far as we are aware, credit card data has not been compromised.

Hetzner technicians are permanently working on localising and preventing possible
security vulnerabilities as well as ensuring that our systems and infrastructure
are kept as safe as possible. Data security is a very high priority for us. To
expedite clarification further, we have reported this incident to the data
security authority concerned.

Furthermore, we are in contact with the Federal Criminal Police Office (BKA) in
regard to this incident.

Naturally, we shall inform you of new developments immediately.

We very much regret this incident and thank you for your understanding and
trust in us.

A special FAQs page has been set up at
http://wiki.hetzner.de/index.php/Security_Issue/en to assist you with further
enquiries.

Kind regards

Martin Hetzner

__________________
Backup / Storage KVM VPS - Backupsy.com



Sponsored Links
  #2  
Old 06-06-2013, 12:38 PM
24x7group 24x7group is offline
Web Hosting Master
 
Join Date: Aug 2007
Location: Belgium
Posts: 3,618
Let's hope they can find a solution soon. It's not Hetzner that's hacked, it's an issue with Nagios

__________________
InstantDedicated.com - Unmanaged Dedicated Servers with Instant Activation [EU and USA]
ServerBoost.com - Managed Dedicated Servers with 24x7 On-Site Support [100% Uptime Guarantee]
≈ Locations: (The Netherlands) - Tier 3 [Dataplace] | (Miami) - Tier 3 - Pay via: Bitcoin, Paypal, Credit Card

  #3  
Old 06-06-2013, 12:54 PM
LittleApps-Nick LittleApps-Nick is offline
Web Hosting Evangelist
 
Join Date: Nov 2011
Location: Calgary, Alberta, Canada
Posts: 538
Thank god I didn't go with them. Considering they needed government issued identification to verify I am who I am and now that information could've been in the hands of some hacker...

__________________
Little Apps
Open Source Software

Sponsored Links
  #4  
Old 06-06-2013, 12:54 PM
softshop011 softshop011 is offline
Aspiring Evangelist
 
Join Date: Mar 2009
Posts: 384
And now the entire hetzner network is down!
EDIT : Back up now, was down for a minute.

  #5  
Old 06-06-2013, 01:04 PM
rds100 rds100 is offline
Web Hosting Master
 
Join Date: Jan 2011
Location: Varna, Bulgaria
Posts: 1,248
Again? When / what was the previous one?

  #6  
Old 06-06-2013, 01:04 PM
serverian serverian is offline
Corporate Member
 
Join Date: Mar 2008
Location: /usr/bin/kvm
Posts: 211
Quote:
Originally Posted by 24x7group View Post
Let's hope they can find a solution soon. It's not Hetzner that's hacked, it's an issue with Nagios
Yes, Nagios got hacked, not Hetzner. All user info is safe.

__________________
Backup / Storage KVM VPS - Backupsy.com

  #7  
Old 06-06-2013, 01:05 PM
Steven Steven is offline
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 13,105
Quote:
The malicious code used in the "backdoor" exclusively infects the RAM. First
analysis suggests that the malicious code directly infiltrates running Apache
and sshd processes. Here, the infection neither modifies the binaries of the
service which has been compromised, nor does it restart the service which has
been affected.
This is a fairly poor explanation.

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #8  
Old 06-06-2013, 01:05 PM
MrEliasen MrEliasen is offline
WHT Addict
 
Join Date: Aug 2011
Location: Denmark
Posts: 108
Honestly, I do not find the content of the above message alarming as such. Simply update your password and you should be fine.

However if you had them access any of your server(s) in recent times, I would check those servers as well just in case.
Quote:
The malicious code used in the "backdoor" exclusively infects the RAM. First
analysis suggests that the malicious code directly infiltrates running Apache
and sshd processes. Here, the infection neither modifies the binaries of the
service which has been compromised, nor does it restart the service which has
been affected.
Just my 0.02 - I would love to hear what others have to say though.

__________________
"Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  #9  
Old 06-06-2013, 01:08 PM
Spirit Spirit is offline
Web Hosting Master
 
Join Date: Sep 2004
Posts: 665
Ouch. But they atleast don't try to cover it up and most releavant details was given before they get asked about. Some people should take this as example when things go wrong...

  #10  
Old 06-06-2013, 01:08 PM
softshop011 softshop011 is offline
Aspiring Evangelist
 
Join Date: Mar 2009
Posts: 384
Quote:
Originally Posted by rds100 View Post
Again? When / what was the previous one?
Last year..

  #11  
Old 06-06-2013, 01:11 PM
MrEliasen MrEliasen is offline
WHT Addict
 
Join Date: Aug 2011
Location: Denmark
Posts: 108
Quote:
Originally Posted by softshop011 View Post
Last year..
Link to this? I am curious and would like to know more.

__________________
"Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  #12  
Old 06-06-2013, 01:12 PM
MrEliasen MrEliasen is offline
WHT Addict
 
Join Date: Aug 2011
Location: Denmark
Posts: 108

__________________
"Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  #13  
Old 06-06-2013, 01:14 PM
softshop011 softshop011 is offline
Aspiring Evangelist
 
Join Date: Mar 2009
Posts: 384
Quote:
Originally Posted by MrEliasen View Post
Link to this? I am curious and would like to know more.
Looking for the link, thorough analysis of the compromise was posted by German IT specialist.

Tobias Huch wrote about the compromise/data breach :
http://www.golem.de/1110/86916.html
http://www.netzwelt.de/news/88855-in...r-hetzner.html

There's also a thread on WHT
http://www.webhostingtalk.com/showthread.php?t=1088324


Last edited by softshop011; 06-06-2013 at 01:22 PM.
  #14  
Old 06-06-2013, 01:27 PM
MrEliasen MrEliasen is offline
WHT Addict
 
Join Date: Aug 2011
Location: Denmark
Posts: 108
Quote:
Originally Posted by softshop011 View Post
Looking for the link, thorough analysis of the compromise was posted by German IT specialist.

Tobias Huch wrote about the compromise/data breach :
http://www.golem.de/1110/86916.html
http://www.netzwelt.de/news/88855-in...r-hetzner.html

There's also a thread on WHT
http://www.webhostingtalk.com/showthread.php?t=1088324
Appreciated, thanks!

__________________
"Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning." - Albert Einstein

  #15  
Old 06-06-2013, 01:28 PM
Riyaz_Shaukatali Riyaz_Shaukatali is offline
Disabled
 
Join Date: Sep 2012
Posts: 97
Quote:
Originally Posted by softshop011 View Post
And now the entire hetzner network is down!
EDIT : Back up now, was down for a minute.
Yes, even I noticed the same.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Staminus /Hetzner /Webtropia Reviews (Bad) Except hetzner gmakhs Dedicated Server 13 12-03-2012 02:18 PM
Hacked? We Guarantee Your Website Will Not Be Hacked or Defaced! UNIXy Hosting & Network Security 1 05-28-2012 03:09 PM
hetzner review , hetzner company or hetzner swindler fun_9990 Dedicated Server 65 03-03-2012 01:11 AM
Hetzner robot apparently hacked wartungsfenster Providers and Network Outages and Updates 1 10-06-2011 12:53 PM
Can my blog be hacked on shared hosting if my neighbour is hacked? zobe Hosting Security and Technology 17 03-10-2011 04:09 AM

Related posts from TheWhir.com
Title Type Date Posted
Hackers Steal User Login Information from AVAST Anti-Virus Forum Web Hosting News 2014-05-27 13:46:25
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42
Syrian Electronic Army Targets Top US Media Websites in Outbrain Platform Hack Web Hosting News 2013-08-16 10:46:10
Hetzner Security Breach Exposes Customer Passwords, Payment Information Web Hosting News 2013-06-07 11:20:12
Web Host Hetzner Online Adds Colocation Services to Two German Data Centers Web Hosting News 2013-02-01 15:38:04


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?