Hetzner been Hacked !!

[Plaasjapie]

I just received the email from Hetzner. Can somebody else confirm this?

Precautionary Alert: Network Intrusion

Dear Hetzner Customer,

We are writing to you as our primary concern is for our customers and for the continued security of your website(s) and data. It is therefore our duty to inform you of a network intrusion with possible implications for your web hosting package(s):



We have recently discovered evidence of a network intrusion to our managed web servers and hosting management systems.



The intruder may have harvested some of your hosting related passwords.



Following an investigation and assessment of the breach, we have taken steps to prevent further unauthorised access to our servers.



As a further precautionary measure we'd like to request that you act swiftly and change the following passwords:


-
Your konsoleH Control Panel login password


-
All email passwords


-
All FTP passwords


-
All MySQL database passwords (Note, you will need to update your web application database connection strings. This is not applicable to Home packages.)


These passwords can all be changed within your konsoleH Control Panel. Details on how to change your passwords can be found on our Help Centre using the links above.

We understand the inconvenience and concern that this may cause and for this we sincerely apologise. Be assured that we take our responsibilities for safeguarding your data very seriously and are taking the appropriate steps to enhance our security protocols to protect our systems and your data.

 

[Silver-0-surfer]

Just got this as well, do you know if it affects all customers?

 

[Plaasjapie]

Just got this as well, do you know if it affects all customers?

Yes, It seems like it. This is going to be a MAJOR thing ...

 

[MickeyD]

Found him!!! :twisted:
http://mybroadband.co.za/vb/showthread.php/268237-LATENCY!!!?p=4913191&viewfull=1#post4913191

 

[ksweb]

Just got the email now.
Does any one have more information on how, when this happened?

 

[ColinR]

I've changed all my passwords - took a fair amount of time. (Esp when SQL has 3 per DB!) But it's probably a good thing to do every now and again anyway!

 

[baileysinplett]

Last week we received an email from MTN Business saying that our website had been marked as delivering malitious material and that it would be blocked if not corrected. Also found that Google had blocked all our hetzner sites on the Chrome and Firefox browsers. Found that all our index.html pages and all js files had addonrock.ru javascript tagged on the bottom. Read that it obtains ftp passwords through keyloggers on infected machines and gains access in this manner

Have 3 websites on Hetzner and was very concerned as all 3 were infected. Wondered how access to passwords were obtained as we had not personally gained access to the sites in months. Spent a day virus and trojan checking all machines in our network. Also only one machine has a full list of passwords to all 3 sites. Also strange was that websites at different hosts were not infected, but the passwords existed on the same machine. Read that the trojan had made use of a security issue within linux and so came to the conclusion that access must have come from Hetzner's side and not a vunerablity on our side. Confirmation arrived today

Check all you index.html and .js files. Look for javascript code referencing addonrock.ru (there are some other names as well - google addonrock)

 

[shogun]

Stupid question perhaps... but this is Hetzner SA, and not Germany right?

 

[ksweb]

I've changed all my passwords - took a fair amount of time. (Esp when SQL has 3 per DB!) But it's probably a good thing to do every now and again anyway!

It going to take a lot of time trying to update everything :-(

 

[HavocXphere]

Well props for being honest about it.

Stupid question perhaps... but this is Hetzner SA, and not Germany right?

Presumably they are running similar setups & thus have similar vulnerabilities.

 

[keru]

This is such a bummer. It is a nightmare to change all the passwords.

 

[SilverNodashi]

This is such a bummer. It is a nightmare to change all the passwords.

you're right. passwords should never be changed and very easy to remember as well. what's the point of using it in any case.

 

[keru]

you're right. passwords should never be changed and very easy to remember as well. what's the point of using it in any case.

Not fun when you are hosting +/- 100 domains with around 1000's of email accounts.

 

[w1z4rd]

Oh my word.. this is bad.

 

[Jacques]

Where can I send my Invoice for all the Unpaid work? Changing hundreds of passwords at once is not fun!

The news on here seems a bit slow on one of the biggest security compromises in web hosting? Probably changing passwords....

 

[jbs01]

Has anyone else ever heard of such a thing happening with any other hosting company?
Hetzner is supposed to be world class.
FML.

 

[keru]

Would like to know if any accounts have been compromised as yet ?

 

[MadCat]

Would like to know if any accounts have been compromised as yet ?

Does it matter? Best to change the passwords before you wakeup to a nightmare.

 

[keru]

Does it matter? Best to change the passwords before you wakeup to a nightmare.

I have changed the passwords. Just wanted to know if any accounts have been hacked. I think there should be some serious discussions around this.
We had a few joomla sites hacked early this year. After doing a bit of research we narrowed it down to one theme that ended up with Joomla sites being hacked around the world.

 

[ponder]

OMG the sky is gonna fall on our heads!