<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">While at this time we are trying to
reach out to Hetzner to see what excatly they are running, but I
have a suspicion that they aren't enven running Nagios, and are
running Icinga, based on this screenshot below combined with the
fact that Hetzner hosts at least one of their websites.<br>
<br>
<br>
<img src="cid:part1.01000300.07050308@nagios.com" alt="">
<pre class="moz-signature" cols="72">Scott Wilkerson
Information Technology Manager
___
Email: <a class="moz-txt-link-abbreviated" href="mailto:swilkerson@nagios.com">swilkerson@nagios.com</a>
Web: <a class="moz-txt-link-abbreviated" href="http://www.nagios.com">www.nagios.com</a>
</pre>
On 6/6/2013 3:46 PM, William Leibzon wrote:<br>
</div>
<blockquote
cite="mid:CAFCy1BiL2cFGneUsV8Ba5z7CZU8PwvVCYLtLtMMi14fgiJposg@mail.gmail.com"
type="cite">
<pre wrap="">Sounds like they got through some sort of security hole in apache and
accessed database on the server, probably as apache/www user and not
root. Unsure from the information given if this apache backdoor would
have had anything to do with nagios cgi or not.
BTW the description of how it happened is rather interesting. I
remember 6 or 7 years ago when I was still following security more
closely people have been talking about possibility of this (hacking
with only in-memory application replacement) on certain forum that
shall remain unnamed. I have never seen or heard of this being done at
any company I consult for though.
On Thu, Jun 6, 2013 at 12:48 PM, Κοκμάδης Δημήτριος <a class="moz-txt-link-rfc2396E" href="mailto:dkokmadis@gmail.com"><dkokmadis@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">The full text:
Dear Client
At the end of last week, Hetzner technicians discovered a "backdoor" in one
of our internal monitoring systems (Nagios).
An investigation was launched immediately and showed that the administration
interface for dedicated root servers (Robot) had also been affected. Current
findings would suggest that fragments of our client database had been copied
externally.
As a result, we currently have to consider the client data stored in our
Robot
as compromised.
To our knowledge, the malicious program that we have discovered is as yet
unknown and has never appeared before.
The malicious code used in the "backdoor" exclusively infects the RAM. First
analysis suggests that the malicious code directly infiltrates running
Apache
and sshd processes. Here, the infection neither modifies the binaries of the
service which has been compromised, nor does it restart the service which
has
been affected.
The standard techniques used for analysis such as the examination of
checksum
or tools such as "rkhunter" are therefore not able to track down the
malicious
code.
We have commissioned an external security company with a detailed analysis
of
the incident to support our in-house administrators. At this stage, analysis
of the incident has not yet been completed.
The access passwords for your Robot client account are stored in our
database
as Hash (SHA256) with salt. As a precaution, we recommend that you change
your
client passwords in the Robot.
With credit cards, only the last three digits of the card number, the card
type
and the expiry date are saved in our systems. All other card data is saved
solely by our payment service provider and referenced via a pseudo card
number.
Therefore, as far as we are aware, credit card data has not been
compromised.
Hetzner technicians are permanently working on localising and preventing
possible
security vulnerabilities as well as ensuring that our systems and
infrastructure
are kept as safe as possible. Data security is a very high priority for us.
To
expedite clarification further, we have reported this incident to the data
security authority concerned.
Furthermore, we are in contact with the Federal Criminal Police Office (BKA)
in
regard to this incident.
Naturally, we shall inform you of new developments immediately.
We very much regret this incident and thank you for your understanding and
trust in us.
A special FAQs page has been set up at
<a class="moz-txt-link-freetext" href="http://wiki.hetzner.de/index.php/Security_Issue/en">http://wiki.hetzner.de/index.php/Security_Issue/en</a> to assist you with
further
enquiries.
2013/6/6 Rainer Duffner <a class="moz-txt-link-rfc2396E" href="mailto:rainer@ultra-secure.de"><rainer@ultra-secure.de></a>
</pre>
<blockquote type="cite">
<pre wrap="">
Am 06.06.2013 um 20:46 schrieb Sven Nierlein <a class="moz-txt-link-rfc2396E" href="mailto:Sven.Nierlein@Consol.de"><Sven.Nierlein@Consol.de></a>:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
Do you have any details? The german notice sounds like someone broke
into their nagios system, but not necessarily by a nagios backdoor.
Sven
</pre>
</blockquote>
<pre wrap="">
There are not many details available - probably partly because they don't
know them themselves (they've hired outside experts for the analysis).
Also, what you will read about such an incident will almost always never
be the "complete truth" but more what the company will want you to believe
to be the truth.
>From what can the learned from (mostly reliable heise-news)
<a class="moz-txt-link-freetext" href="http://www.heise.de/newsticker/meldung/Hetzner-gehackt-Kundendaten-kopiert-1884180.html">http://www.heise.de/newsticker/meldung/Hetzner-gehackt-Kundendaten-kopiert-1884180.html</a>
it either seems to be a rather sophisticated APT-style attack - or the
company (Hetzner) has learned little to nothing from previous
security-breaches and attackers found another way into their systems.
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
<a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/servicenow-d2d-j">http://p.sf.net/sfu/servicenow-d2d-j</a>
_______________________________________________
Nagios-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/nagios-users">https://lists.sourceforge.net/lists/listinfo/nagios-users</a>
::: Please include Nagios version, plugin version (-v) and OS when
reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
</pre>
</blockquote>
<pre wrap="">
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
<a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/servicenow-d2d-j">http://p.sf.net/sfu/servicenow-d2d-j</a>
_______________________________________________
Nagios-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/nagios-users">https://lists.sourceforge.net/lists/listinfo/nagios-users</a>
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
</pre>
</blockquote>
<pre wrap="">
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
<a class="moz-txt-link-freetext" href="http://p.sf.net/sfu/servicenow-d2d-j">http://p.sf.net/sfu/servicenow-d2d-j</a>
_______________________________________________
Nagios-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/nagios-users">https://lists.sourceforge.net/lists/listinfo/nagios-users</a>
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null</pre>
</blockquote>
<br>
</body>
</html>