nagios backdoor

Scott Wilkerson swilkerson at nagios.com
Thu Jun 6 23:27:14 CEST 2013


While at this time we are trying to reach out to Hetzner to see what 
excatly they are running, but I have a suspicion that they aren't enven 
running Nagios, and are running Icinga, based on this screenshot below 
combined with the fact that Hetzner hosts at least one of their websites.


Scott Wilkerson
Information Technology Manager
___
Email: swilkerson at nagios.com
Web:   www.nagios.com

On 6/6/2013 3:46 PM, William Leibzon wrote:
> Sounds like they got through some sort of security hole in apache and
> accessed database on the server, probably as apache/www user and not
> root. Unsure from the information given if this apache backdoor would
> have had anything to do with nagios cgi or not.
>
> BTW the description of how it happened is rather interesting. I
> remember 6 or 7 years ago when I was still following security more
> closely people have been talking about possibility of this (hacking
> with only in-memory application replacement) on certain forum that
> shall remain unnamed. I have never seen or heard of this being done at
> any company I consult for though.
>
> On Thu, Jun 6, 2013 at 12:48 PM, Κοκμάδης Δημήτριος <dkokmadis at gmail.com> wrote:
>> The full text:
>>
>>
>> Dear Client
>>
>> At the end of last week, Hetzner technicians discovered a "backdoor" in one
>> of our internal monitoring systems (Nagios).
>>
>> An investigation was launched immediately and showed that the administration
>> interface for dedicated root servers (Robot) had also been affected. Current
>> findings would suggest that fragments of our client database had been copied
>> externally.
>>
>> As a result, we currently have to consider the client data stored in our
>> Robot
>> as compromised.
>>
>> To our knowledge, the malicious program that we have discovered is as yet
>> unknown and has never appeared before.
>>
>> The malicious code used in the "backdoor" exclusively infects the RAM. First
>> analysis suggests that the malicious code directly infiltrates running
>> Apache
>> and sshd processes. Here, the infection neither modifies the binaries of the
>> service which has been compromised, nor does it restart the service which
>> has
>> been affected.
>>
>> The standard techniques used for analysis such as the examination of
>> checksum
>> or tools such as "rkhunter" are therefore not able to track down the
>> malicious
>> code.
>>
>> We have commissioned an external security company with a detailed analysis
>> of
>> the incident to support our in-house administrators. At this stage, analysis
>> of the incident has not yet been completed.
>>
>> The access passwords for your Robot client account are stored in our
>> database
>> as Hash (SHA256) with salt. As a precaution, we recommend that you change
>> your
>> client passwords in the Robot.
>>
>> With credit cards, only the last three digits of the card number, the card
>> type
>> and the expiry date are saved in our systems. All other card data is saved
>> solely by our payment service provider and referenced via a pseudo card
>> number.
>> Therefore, as far as we are aware, credit card data has not been
>> compromised.
>>
>> Hetzner technicians are permanently working on localising and preventing
>> possible
>> security vulnerabilities as well as ensuring that our systems and
>> infrastructure
>> are kept as safe as possible. Data security is a very high priority for us.
>> To
>> expedite clarification further, we have reported this incident to the data
>> security authority concerned.
>>
>> Furthermore, we are in contact with the Federal Criminal Police Office (BKA)
>> in
>> regard to this incident.
>>
>> Naturally, we shall inform you of new developments immediately.
>>
>> We very much regret this incident and thank you for your understanding and
>> trust in us.
>>
>> A special FAQs page has been set up at
>> http://wiki.hetzner.de/index.php/Security_Issue/en to assist you with
>> further
>> enquiries.
>>
>>
>>
>>
>> 2013/6/6 Rainer Duffner <rainer at ultra-secure.de>
>>>
>>> Am 06.06.2013 um 20:46 schrieb Sven Nierlein <Sven.Nierlein at Consol.de>:
>>>
>>>> Hi,
>>>>
>>>> Do you have any details? The german notice sounds like someone broke
>>>> into their nagios system, but not necessarily by a nagios backdoor.
>>>>
>>>>   Sven
>>>
>>> There are not many details available - probably partly because they don't
>>> know them themselves (they've hired outside experts for the analysis).
>>> Also, what you will read about such an incident will almost always never
>>> be the "complete truth" but more what the company will want you to believe
>>> to be the truth.
>>>
>>> >From what can the learned from (mostly reliable heise-news)
>>>
>>>
>>> http://www.heise.de/newsticker/meldung/Hetzner-gehackt-Kundendaten-kopiert-1884180.html
>>>
>>>
>>> it either seems to be a rather sophisticated APT-style attack - or the
>>> company (Hetzner) has learned little to nothing from previous
>>> security-breaches and attackers found another way into their systems.
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> How ServiceNow helps IT people transform IT departments:
>>> 1. A cloud service to automate IT design, transition and operations
>>> 2. Dashboards that offer high-level views of enterprise services
>>> 3. A single system of record for all IT processes
>>> http://p.sf.net/sfu/servicenow-d2d-j
>>> _______________________________________________
>>> Nagios-users mailing list
>>> Nagios-users at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/nagios-users
>>> ::: Please include Nagios version, plugin version (-v) and OS when
>>> reporting any issue.
>>> ::: Messages without supporting info will risk being sent to /dev/null
>>
>>
>> ------------------------------------------------------------------------------
>> How ServiceNow helps IT people transform IT departments:
>> 1. A cloud service to automate IT design, transition and operations
>> 2. Dashboards that offer high-level views of enterprise services
>> 3. A single system of record for all IT processes
>> http://p.sf.net/sfu/servicenow-d2d-j
>> _______________________________________________
>> Nagios-users mailing list
>> Nagios-users at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nagios-users
>> ::: Please include Nagios version, plugin version (-v) and OS when reporting
>> any issue.
>> ::: Messages without supporting info will risk being sent to /dev/null
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20130606/ea345a2e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gefddbgd.png
Type: image/png
Size: 69418 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/users/attachments/20130606/ea345a2e/attachment.png>
-------------- next part --------------
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list