New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hetzner abuse
So, I got this mail 7 times at the last hour.
my server is only accessible via 4096 sshkey, which I fairly sure is not compromised. (maybe I'm wrong?)
the server has Plesk and 1 python docker.
I just shut it down, for now, I'm not interested in the spam from abuse-at-hetzner-dot-com
The mail :
> Dear Sir/Madam,
>
> We have detected abuse from the IP address ( <my.hetzner.IP.address> ), which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate. Any feedback is welcome but not mandatory.
>
> Log lines are given below, but please ask if you require any further information.
>
> (If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)
>
> IP of the attacker: <my.hetzner.IP.address>
>
> You can contact us by using: [email protected]
>
> Addresses to send to:
> [email protected]
>
> ==================== Excerpt from log for <my.hetzner.IP.address> ====================
> Note: Local timezone is +0100 (CET)
> Dec 13 16:47:48 km20636 sshd[20981]: Invalid user student from <my.hetzner.IP.address> port 35934
> Dec 13 16:47:48 km20636 sshd[20981]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<my.hetzner.IP.address>
> Dec 13 16:47:49 km20636 sshd[20981]: Failed password for invalid user student from <my.hetzner.IP.address> port 35934 ssh2
> Dec 13 16:47:49 km20636 sshd[20981]: Received disconnect from <my.hetzner.IP.address> port 35934:11: Bye Bye [preauth]
> Dec 13 16:47:49 km20636 sshd[20981]: Disconnected from invalid user student <my.hetzner.IP.address> port 35934 [preauth]
> Dec 13 17:05:10 km20636 sshd[23993]: Invalid user usbmux from <my.hetzner.IP.address> port 42324
> Dec 13 17:05:10 km20636 sshd[23993]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<my.hetzner.IP.address>
> Dec 13 17:05:12 km20636 sshd[23993]: Failed password for invalid user usbmux from <my.hetzner.IP.address> port 42324 ssh2
> Dec 13 17:05:12 km20636 sshd[23993]: Received disconnect from <my.hetzner.IP.address> port 42324:11: Bye Bye [preauth]
> Dec 13 17:05:12 km20636 sshd[23993]: Disconnected from invalid user usbmux <my.hetzner.IP.address> port 42324 [preauth]
> Dec 13 17:20:36 km20636 sshd[26621]: Invalid user www-upload from <my.hetzner.IP.address> port 59094
> Dec 13 17:20:36 km20636 sshd[26621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<my.hetzner.IP.address>
> Dec 13 17:20:39 km20636 sshd[26621]: Failed password for invalid user www-upload from <my.hetzner.IP.address> port 59094 ssh2
> Dec 13 17:20:39 km20636 sshd[26621]: Received disconnect from <my.hetzner.IP.address> port 59094:11: Bye Bye [preauth]
> Dec 13 17:20:39 km20636 sshd[26621]: Disconnected from invalid user www-upload <my.hetzner.IP.address> port 59094 [preauth]
> Dec 13 17:36:02 km20636 sshd[29264]: Invalid user admin from <my.hetzner.IP.address> port 47570
> Dec 13 17:36:02 km20636 sshd[29264]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<my.hetzner.IP.address>
> Dec 13 17:36:04 km20636 sshd[29264]: Failed password for invalid user admin from <my.hetzner.IP.address> port 47570 ssh2
> Dec 13 17:36:04 km20636 sshd[29264]: Received disconnect from <my.hetzner.IP.address> port 47570:11: Bye Bye [preauth]
> Dec 13 17:36:04 km20636 sshd[29264]: Disconnected from invalid user admin <my.hetzner.IP.address> port 47570 [preauth]
Comments
You should be; it's clear your system is compromised.
bow, I'm more interested in how this happened.
Covering your ears and shouting Lalalalalalaaaaa generally don't solve problems.
Bossman,
You have been pawned.
I thought the logs jut stated that somebody was trying to pawn OP's host but no luck so far?
It's true that OP should consider the mail from provider, kudos for notification.
Trump would argue.
OK fuck plesk, more to come.
how are you able to tell? I only see failed attempt. Please give some tip. I might need this if it happens to me also. Thanks.
Yes but;
nothing to do with Plesk, as any secure system will be compromised if user unable to administrate or figure out. You will be able to go through the logs and figure out what happened.
by looking at
obviously that log snippet is from the attacked system that filed the abuse report. therefore that system is targetted by a bruteforce script running at OPs server/coming from his IP...
First blames Hetzner. Then Plesk. What next?
Sue @deank
Connect via SSH, see the last system login.
$ last
$ last | head
Will show last users and IPs.
That's assuming that teh dewd didn't replace last with something else or at least wiped the logs.
Ok, I blame Plesk because the attacker logged in with a Plesk user assigned to a subdomain. IDK how in hell that user can be logged in with.
It's weird, once I got in the CPU was taken by kswapd0 ran under that user. not sure if he renamed his malice script under this process or a system failure.
I disabled the network connection and now investigating with damn slow VNC.
big time, seriesn. big time.
where were you when this all happened, bud.
Lol yes, those are gone.
>
Try booting using rescue mode and investigate
. Would be easier.
Sums it up really.
I appreciate your insight friend. was very helpful.
it look like a bruteforce ssh scanner, i find that in logs all the time, doesnt mean u are hacked
nope, it got hacked in, the system logs got encrypted, but found some other logs, and mailed them back to hetzner.
the logs up there are from the target system. attacks came from my server.
do you think there is a vulnerability in docker or plesk?
How are they able to do that when you are using ssh keys? Did someone able to get their hands to it?
Please say more information this might help us in the future. Thanks :-)
It was a huge attack, it wasn't the user with a key that got compromised, it was a user with a password created by Plesk when adding a subdomain.
I can't say a vulnerability in Plesk rather weak password generated for that user. plus it should not be allowed to SSH login.
I think you need to do something, or else you will get suspended and have a hard time getting any new products from this provider in the future.
don't focus too much on ssh access itself. could be sufficient, if the attacker was able to put stuff (ftp, php upload etc.) into the web-root of the compromised account, like a cgi script or whatever.
trying to ssh out from your server does not neccassirly need elevated privileges... though of course could also be that there were more vectors to the attack and it tried or suceeded to pull additional payload. still not really dependant on gaining direct ssh access at all.
watch out!!!
also i was fast and downlaoded theri binaries -> OMG !!! https://www.virustotal.com/gui/file/761dd856250f5e56ad4664fe0c48f4a9fbd93bc3f21f44bab193373176e21ab9/detection
there is huge hacks with kswapd0
connecting ips to 45.9.148.125 and 45.9.148.117
hit me today! something is vulnerable like ssh!
also https://www.reddit.com/r/linux4noobs/comments/ht1a3r/ufw_log_how_to_find_what_program_is_communicating/