Hetzner reported detecting backdoor in their systems
Hetzner has just sent out a mass mailing to all clients of the dedicated hosting, reporting on the detection of a backdoor in its network, and that a significant portion of user data could be compromised, including all information stored in the Robot web panel (credit card data , however, did not suffer).
According to the letter, the malware penetrated the company's network through a hole in the Nagios monitoring system and hit the running Apache and sshd (terminal) web server processes, while not changing the binaries themselves, which allowed the flaw to remain unnoticed for so long. According to the technicians, nothing like them had come across before.
To evaluate the incident, a separate security company was hired, which helps local administrators to understand what happened and completely clean the network from all copies of the malware. All the competent authorities were notified, the investigation has not yet been completed.
')
According to the letter, the malware penetrated the company's network through a hole in the Nagios monitoring system and hit the running Apache and sshd (terminal) web server processes, while not changing the binaries themselves, which allowed the flaw to remain unnoticed for so long. According to the technicians, nothing like them had come across before.
To evaluate the incident, a separate security company was hired, which helps local administrators to understand what happened and completely clean the network from all copies of the malware. All the competent authorities were notified, the investigation has not yet been completed.
')
Translation letter
(original - pastebin.com/czHJDtif )Dear customer,
At the end of last week, the technical engineers of Hetzner discovered the so-called. backdoor in one of our internal monitoring systems (Nagios).
An immediate investigation revealed that the administration interface for dedicated servers (Robot) was also compromised. The information we currently have assumes that part of our customer database has been copied from outside.
As a result, we report that customer information stored in Robot should be considered compromised.
As far as we know, the malicious program that we discovered is unknown and has never appeared before.
Malicious code applied in the backdoor, infects only RAM. The primary analysis assumes that the malicious code is directly injected into the running Apache and sshd processes. Thus, the virus not only does not change the binary files of the services that it hit, but does not restart them either.
Due to this, a standard procedure, such as, for example, studying cheksumm or checking with the help of rkhunter utility, is not able to detect infection.
To help our full-time administrators, we turned to an independent security company for help, giving them a detailed account of what happened. At the moment, the analysis of the incident has not yet completed.
Passwords for access to the Robot panel are stored in our database in the form of a SHA256 hash with salt. As a precautionary measure, we recommend changing your passwords in Robot.
As for credit cards, we store only the last three digits of the card number, its type (MasterCard, Visa, etc.), and the date of its validity. All other information is stored at our payment service provider, and is connected to our systems through a randomly generated card number. Thus, as far as we can judge, credit card data was not compromised.
Hetzner technical engineers are continuously working to localize existing security gaps, as well as to prevent the emergence of new ones, to ensure the highest possible security for our systems and infrastructure. Data security is very important to us. To speed up further investigation, we appealed to the relevant law enforcement agencies.
Moreover, we are constantly in touch with the Federal Criminal Police Office (Federal Criminal Police Office, BKA).
As a matter of course, we will keep you updated on events and report all new information.
We are very sorry for what happened, and thank you for your understanding and trust.
In order to help you with security inquiries, we have posted a special question and answer page - wiki.hetzner.de/index.php/Security_Issue/en .
At the end of last week, the technical engineers of Hetzner discovered the so-called. backdoor in one of our internal monitoring systems (Nagios).
An immediate investigation revealed that the administration interface for dedicated servers (Robot) was also compromised. The information we currently have assumes that part of our customer database has been copied from outside.
As a result, we report that customer information stored in Robot should be considered compromised.
As far as we know, the malicious program that we discovered is unknown and has never appeared before.
Malicious code applied in the backdoor, infects only RAM. The primary analysis assumes that the malicious code is directly injected into the running Apache and sshd processes. Thus, the virus not only does not change the binary files of the services that it hit, but does not restart them either.
Due to this, a standard procedure, such as, for example, studying cheksumm or checking with the help of rkhunter utility, is not able to detect infection.
To help our full-time administrators, we turned to an independent security company for help, giving them a detailed account of what happened. At the moment, the analysis of the incident has not yet completed.
Passwords for access to the Robot panel are stored in our database in the form of a SHA256 hash with salt. As a precautionary measure, we recommend changing your passwords in Robot.
As for credit cards, we store only the last three digits of the card number, its type (MasterCard, Visa, etc.), and the date of its validity. All other information is stored at our payment service provider, and is connected to our systems through a randomly generated card number. Thus, as far as we can judge, credit card data was not compromised.
Hetzner technical engineers are continuously working to localize existing security gaps, as well as to prevent the emergence of new ones, to ensure the highest possible security for our systems and infrastructure. Data security is very important to us. To speed up further investigation, we appealed to the relevant law enforcement agencies.
Moreover, we are constantly in touch with the Federal Criminal Police Office (Federal Criminal Police Office, BKA).
As a matter of course, we will keep you updated on events and report all new information.
We are very sorry for what happened, and thank you for your understanding and trust.
In order to help you with security inquiries, we have posted a special question and answer page - wiki.hetzner.de/index.php/Security_Issue/en .
Source: https://habr.com/ru/post/182416/
All Articles