Hetzner - DokuWiki

Security Issue/en


Are my details in the konsoleH administration interface also affected?

No, our current information suggests that this data is not affected. However, it is advisable to update passwords on a regular basis here as well.

If we have further questions, can we contact you by telephone?

Owing to the high volume of enquiries, we would ask that you contact us by email instead of telephone.

How about bank data (debit note)? Is this compromised?

Bank details are encrypted (two-way) in the database. However, it cannot be excluded that the attacker/s have also been able to obtain access to the key.

How can I change my access data for the web interfaces?

For information, please see the Change login details page.

Do the attackers have my password?

No, the passwords are not stored as plain text in our database, but as a hash that is generated with a salt. However, the attackers may attempt a brute force attack on that hash in order to guess your password. The length of your password is of key importance in that respect. In any case, we strongly urge you to change your password on the Robot interface as well as on any websites on which you use the same password.

Are Hetzner Mirrors compromised?

No, the Hetzner Mirrors (for Debian/Ubuntu) are not affected. Mirrors are regularly synchronized from the official mirrors directly. Here all parts are signed and your system's packet management checks the signatures of the packet maintainer before installation. This means that any manipulation would immediately become apparent. Other standard images (OpenSuSE/CentOS) use external mirrors for updates. Signatures are also used here which would be able to recognize any manipulation straightaway.

How do I know if my server has also been affected by the same attack?

It is not possible to make any recommendations at this stage. An analysis of the incident is fully underway in the course of the investigation. To avoid jeopardising the investigation, further information or recommendations cannot be disclosed at this moment in time.

How can I detect an infection with malicious code?

The malicious program can be found for example as follows:

- create a memory dump of the SSHD
- run the strings command on the dump
- look for specific sequences of characters

If the system has been infected by the rootkit, the following strings can be found in the dump:


So, for example:


1: aptitude install gdb
2: gdb --pid=`ps ax|grep "\/usr\/sbin\/sshd"|cut -d" " -f1`
3: > gcore
4: > quit
5: strings core.XXXXX |grep "key="

Tool such as http://secondlookforensics.com/ should also be able to detect the backdoor.

© 2015. Hetzner Online GmbH. Alle Rechte vorbehalten.