Jun 6th, 2013
- Dear Client
- At the end of last week, Hetzner technicians discovered a "backdoor" in one
- of our internal monitoring systems (Nagios).
- An investigation was launched immediately and showed that the administration
- interface for dedicated root servers (Robot) had also been affected. Current
- findings would suggest that fragments of our client database had been copied
- As a result, we currently have to consider the client data stored in our Robot
- as compromised.
- To our knowledge, the malicious program that we have discovered is as yet
- unknown and has never appeared before.
- The malicious code used in the "backdoor" exclusively infects the RAM. First
- analysis suggests that the malicious code directly infiltrates running Apache
- and sshd processes. Here, the infection neither modifies the binaries of the
- service which has been compromised, nor does it restart the service which has
- been affected.
- The standard techniques used for analysis such as the examination of checksum
- or tools such as "rkhunter" are therefore not able to track down the malicious
- We have commissioned an external security company with a detailed analysis of
- the incident to support our in-house administrators. At this stage, analysis
- of the incident has not yet been completed.
- The access passwords for your Robot client account are stored in our database
- as Hash (SHA256) with salt. As a precaution, we recommend that you change your
- client passwords in the Robot.
- With credit cards, only the last three digits of the card number, the card type
- and the expiry date are saved in our systems. All other card data is saved
- solely by our payment service provider and referenced via a pseudo card number.
- Therefore, as far as we are aware, credit card data has not been compromised.
- Hetzner technicians are permanently working on localising and preventing possible
- security vulnerabilities as well as ensuring that our systems and infrastructure
- are kept as safe as possible. Data security is a very high priority for us. To
- expedite clarification further, we have reported this incident to the data
- security authority concerned.
- Furthermore, we are in contact with the Federal Criminal Police Office (BKA) in
- regard to this incident.
- Naturally, we shall inform you of new developments immediately.
- We very much regret this incident and thank you for your understanding and
- trust in us.
- A special FAQs page has been set up at
- http://wiki.hetzner.de/index.php/Security_Issue/en to assist you with further
- Kind regards
- Martin Hetzner
- Hetzner Online AG
- Stuttgarter Str. 1
- 91710 Gunzenhausen / Germany
- Tel: +49 (9831) 61006-1
- Fax: +49 (9831) 61006-2
- Register Court: Registergericht Ansbach, HRB 3204
- Management Board: Dipl. Ing. (FH) Martin Hetzner
- Chairwoman of the Supervisory Board: Diana Rothhan
Please, Sign In to add comment