Hezner breach?

D

dagwood4455

Active Member
Joined
Oct 13, 2010
Messages
81
Reaction score
0
Has any web companies had breaches on their Hetzner servers?

a batch of our clients' mail accounts on a Hetzner managed server was hacked

But also some of the mail accounts on Truservs were also hacked (Hetzner does not have the root passwords for these servers)

this happened over the weekend at roughly the same time

The passwords for both mail management systems (our self managed and Hetzner's Konsole) are not kept on the same place nor by the same people.

One of our theories is that some clever cybercrooks somehow gotten into the datacentre.

Anybody else experienced a lot hacked mail accounts over the weekend?
 
Nothing of mine is impacted there. Did you protect yourself against Heartbleed?
 
Let me guess, they all have an administrative account with the same password?
Hetzner is definitely not at fault here, and it seems that this thread is intended to discredit them.

P.S. Contacting your hosting provider should be the de facto thing to do after a breach, because remember, malicious intent was on their hardware and infrastructure.
 
nand said:
Let me guess, they all have an administrative account with the same password?
Hetzner is definitely not at fault here, and it seems that this thread is intended to discredit them.

P.S. Contacting your hosting provider should be the de facto thing to do after a breach, because remember, malicious intent was on their hardware and infrastructure.
Click to expand...

Dear Nand, no hey have different passwords (but it could have been accessed from Konsole) but how did they get into the Trueservs??

I have no intention to discredit them; if you look at my previous post then you can see I like HEtzner.

but thanks for feedback dude
 
Well I am sure if their servers was compromised on that type of scale there would be allot of people complaining as Hetzner is on of the biggest hosting providers in South Africa.

I would say the issue is on your side it doesnt matter that its 2 different passwords. They could have compromised the second account by using the same methods which may be various things. Malware/Virus on the office network, packet sniffing on office network, man in the middle office network etc. that's excluding human error and other things that can go wrong. It can be patches as well or just a really good hacker that is just after your email addresses. No hacker will only target you if they compromise hetzner as there they will get more money selling everyone's details rather than just yours.

It can be so many things and starting to point fingers in public with so little info available is quite irresponsible.

Calm down and breathe ....

How do you know the accounts was hacked or what makes you think it was hacked ?
 
Last edited:
Thanks Goofy

1. there is always a first person to ask a question / complain, isn't there?
2. I did not point fingers, I am asking a question.
3. The accounts were used to send out spam.
 
1.yes there is.
2. Don't take it personally but you are asking a very stupid question suggesting that you are jumping to a conclusion and hoping to receive feedback supporting your case. The answer to your question is no, they have not been hacked. Someone else would have said something by now.
3. Have you looked at the logs yet? Is it your server generating spam (<1% chance) or is there another ip using your server as a Smtp?

As goofy said, breathe! Once you have calmed down to a panic I suggest you take a look at where the spam came from, below are some common scenarios:

1) a virus on a PC is connecting and sending via outlook on the local PC. (don't rely on a AV finding this virus, they can be rather advanced)
2) a password has been compromised, this can be caused by:
-A virus pulling the password.
-The user using their email password when signing into their porn/torrent sites.
-Weak ass passwords / formulated passwords.
3) your client is a spammer.
4) the server has Smtp with no auth (unlikely but I have seen it before).

Good luck finding the exact cause.
 
Ive had servers hacked with 8 letter random passwords. So these days I dont run a root password under 64 characters.
 
Are all the affected boxes running some generic CMS system like Wordpress, or do you use a 3rd party mail system? Most "hacks" come down to a 3rd party security issue, normally in things like Wysiwyg file uploaders, where "hackers" scan websites and ip ranges looking for common paths of known exploited apps. Check your access logs at the time of the spam emails to try trace the breach if you are running front end websites on those boxes.

But I've found Hetzner's technicians to be pretty good at investigating these kind of things in the past, so they should be your first point of contact. They could probably tell you where the breach occurred.
 
One of my mail accounts was breached on hetzner about two months ago... Sent out a few hundred emails until their whatever it was thats so slow kicked in... What i had suspected was that they had brute forced the password as it was admittedly weaker than it should have been. What i don't understand though is why on earth their systems could have let through so many attempts on the password... I was puzzled about that for a while... Then i gave up and switched to an OceanHost cloud based VPS... Best move yet as they are awesome and I have learned a ton in doing so!

As a side note to the above comment about "Hetzner's technicians to be pretty good at investigating these kind of things", I disagree... From my experience, they tend to blame you at the first gap in the conversation they get and without making any effort to investigate the issue at all.
 
Last edited:
It sounds like you were a victim of the Hetzner KonsoleH phishing scam which did its rounds recently...
 
You host mail...
dagwood4455 said:
a batch of our clients' mail accounts on a Hetzner managed server was hacked

But also some of the mail accounts on Truservs were also hacked (Hetzner does not have the root passwords for these servers)
Click to expand...

...but don't use SSL
dagwood4455 said:
no we did not do anything about Heartbleed because we don't use SSL
Click to expand...

And you complain about being hacked? :eek:
 
Aquadyne said:
Hertzner does not support SSL/TLS or IMAP.
Click to expand...

A good reason, if true, not to use them then.

Aquadyne said:
Boggles the mind.
Click to expand...

If it is true, which I don't think it entirely is. We're talking about a managed server here. Working for a managed hosting company, I think I know what might be going on. Hosting providers give you a standard install of your favourite distro. Most distros don't enforce or even enable SSL out of the box. Why? because they can only give you a self-signed certificate, which would, of course, cause certificate warnings.

As far as mail is concerned, I can give you an example. Red Hat ships with Dovecot for POP3 and IMAP. Out of the box, a self-signed certificate is configured:

/etc/dovecot/conf.d/10-ssl.conf:ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
/etc/dovecot/conf.d/10-ssl.conf:ssl_key = </etc/pki/dovecot/private/dovecot.pem

That certificate looks like this:

Code: 
Subject: OU=IMAP server, CN=imap.example.com/[email protected]

Thus, SSL is disabled. It's up to you get a valid certificate in there and turn on SSL. Same goes for Postfix.

Hetzner does offer SSL certificates, and if they're halfway decent, they'll configure it for you too:

http://www.hetzner.co.za/dedicated-servers/managed/managed
 
Whilst on this subject, telkom still uses plain SMTP (port 25) while Gmail uses SSL SMTP...

Easy way to leech passwords with a packet analyzer/sniffer if you want...
 
Your f-up with this is that most mail Apps on mobile require SSL / TLS. And IMAP is a MUST for any mobile person... And who isn't these days.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X