Have just received 1 of these, anyone any ideas what it is? ... I've checked the VPS and can see nothing in outbound connections or any logs to suggest any thing is installed on the VPS.
We have received a security alert from the German Federal Office for Information Security (BSI).
Please see the original report included below for details.
Please investigate and solve the reported issue.
It is not required that you reply to either us or the BSI.
If the issue has been fixed successfully, you should not receive any further notifications.
Additional information is provided with the HOWTOs referenced in the report.
In case of further questions, please contact [email protected] and keep the ticket number of the original report [CB-Report#...] in the subject line. Do not reply to <[email protected]> as this is just the sender address for the reports and messages sent to this address will not be read.
Kind regards
Abuse Team
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 5050
Fax: +49 9831 5053
www.hetzner.com
Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller
For the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: www.hetzner.com/datenschutzhinweis
On 08 May 09:30, [email protected] wrote:
> Dear Sir or Madam,
>
> Remote Desktop Protocol (RDP) developed by Microsoft is a proprietary
> network protocol for remote administration of Windows systems.
> The RDP service is using port 3389/tcp by default.
>
> Malicious actors take advantage of RDP services openly accessible from
> anywhere on the Internet for gaining unauthorized access to the
> victims' systems by performing brute-force attacks on weak passwords
> or abusing stolen login credentials. On the dark market, thousands of
> stolen login credentials for RDP services all over the world are sold.
> Those credentials usually have been harvested by malware on the hosts
> used for remote administation of the affected systems.
>
> In the past months, malicious actors more often installed ransomware
> on the compromised systems to encrypt data and subsequently demand
> ransom from the owners of the systems for the decryption of the data.
>
> To protect against such kind of attacks, CERT-Bund recommends
> restricting access to RDP services to trusted source IPs or using a
> secure VPN connection for accessing the RDP service.
>
> Affected systems on your network:
>
> Format: ASN | IP | Timestamp (UTC) | Subject common name
> 24940 | 116.***.***.46 | 2019-05-07 08:55:08 | WIN-9CBP***30ER
>
> We would like to ask you to look into this matter or notify your
> customers accordingly.
>
> This message is digitally signed using PGP.
> Information on the signature key is available at:
> <https://reports.cert-bund.de/en/digital-signature>
>
> Please note:
> This is an automatically generated message. Replies to the
> sender address <[email protected]> will NOT be read
> but silently be discarded. In case of questions, please contact
> <[email protected]> and keep the ticket number [CB-Report#...]
> of this message in the subject line.
>
>
>
> Mit freundlichen Gren / Kind regards
> Team CERT-Bund
>
> Bundesamt fr Sicherheit in der Informationstechnik
> Federal Office for Information Security (BSI)
> Referat CK22 - CERT-Bund
> Godesberger Allee 185-189, 53175 Bonn, Germany
Please see the original report included below for details.
Please investigate and solve the reported issue.
It is not required that you reply to either us or the BSI.
If the issue has been fixed successfully, you should not receive any further notifications.
Additional information is provided with the HOWTOs referenced in the report.
In case of further questions, please contact [email protected] and keep the ticket number of the original report [CB-Report#...] in the subject line. Do not reply to <[email protected]> as this is just the sender address for the reports and messages sent to this address will not be read.
Kind regards
Abuse Team
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 5050
Fax: +49 9831 5053
www.hetzner.com
Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller
For the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: www.hetzner.com/datenschutzhinweis
On 08 May 09:30, [email protected] wrote:
> Dear Sir or Madam,
>
> Remote Desktop Protocol (RDP) developed by Microsoft is a proprietary
> network protocol for remote administration of Windows systems.
> The RDP service is using port 3389/tcp by default.
>
> Malicious actors take advantage of RDP services openly accessible from
> anywhere on the Internet for gaining unauthorized access to the
> victims' systems by performing brute-force attacks on weak passwords
> or abusing stolen login credentials. On the dark market, thousands of
> stolen login credentials for RDP services all over the world are sold.
> Those credentials usually have been harvested by malware on the hosts
> used for remote administation of the affected systems.
>
> In the past months, malicious actors more often installed ransomware
> on the compromised systems to encrypt data and subsequently demand
> ransom from the owners of the systems for the decryption of the data.
>
> To protect against such kind of attacks, CERT-Bund recommends
> restricting access to RDP services to trusted source IPs or using a
> secure VPN connection for accessing the RDP service.
>
> Affected systems on your network:
>
> Format: ASN | IP | Timestamp (UTC) | Subject common name
> 24940 | 116.***.***.46 | 2019-05-07 08:55:08 | WIN-9CBP***30ER
>
> We would like to ask you to look into this matter or notify your
> customers accordingly.
>
> This message is digitally signed using PGP.
> Information on the signature key is available at:
> <https://reports.cert-bund.de/en/digital-signature>
>
> Please note:
> This is an automatically generated message. Replies to the
> sender address <[email protected]> will NOT be read
> but silently be discarded. In case of questions, please contact
> <[email protected]> and keep the ticket number [CB-Report#...]
> of this message in the subject line.
>
>
>
> Mit freundlichen Gren / Kind regards
> Team CERT-Bund
>
> Bundesamt fr Sicherheit in der Informationstechnik
> Federal Office for Information Security (BSI)
> Referat CK22 - CERT-Bund
> Godesberger Allee 185-189, 53175 Bonn, Germany