We have received a notification from the German Federal Office for Information Security (BSI) for (the IP address of) a server you have with us. We are automatically forwarding this notification on to you, for your information.
The original report has been included below. Additional information is provided with the how-to guides referenced in the report. Please note that we do not have any further information to share.
These notifications do not mean your server was involved in any abusive activity. They are simply alerting you to a potential issue on your server, that could be exploited, and that is usually fairly easy to secure.
You do not need to send us, or the BSI, a response.
In case of further questions, please contact certbund@bsi.bund.de and keep the ticket number of the original report [CB-Report#...] in the subject line. Do not reply to <reports@reports.cert-bund.de> as this is just the sender address for the reports and messages sent to this address will not be read.
Kind regards
Abuse Team
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 5050
Fax: +49 9831 5053
www.hetzner.com
Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller
You have the option of making an appeal against a negative decision.
To do that, please reply directly to this ticket. If this is the Abuse
Teams final decision, you can also make a complaint by writing to
info@hetzner.com. The European Commission also provides a
platform that you can use as a platform for online dispute resolution
(ODR) at http://ec.europa.eu/consumers/odr. We are neither willing
nor required to participate in a dispute resolution process before a
consumer arbitration board.
For the purposes of this communication, we may save some of your
personal data. For information on our data privacy policy, please see:
www.hetzner.com/privacy-policy-notice
> Dear Sir or Madam,
>
> the Portmapper service (portmap, rpcbind) is required for mapping RPC
> requests to a network service. The Portmapper service is needed e.g.
> for mounting network shares using the Network File System (NFS).
> The Portmapper service runs on port 111 tcp/udp.
>
> In addition to being abused for DDoS reflection attacks, the
> Portmapper service can be used by attackers to obtain information
> on the target network like available RPC services or network shares.
>
> Over the past months, systems responding to Portmapper requests from
> anywhere on the Internet have been increasingly abused DDoS reflection
> attacks against third parties.
>
> Please find below a list of affected systems hosted on your network.
> The timestamp (timezone UTC) indicates when the openly accessible
> Portmapper service was identified.
>
> We would like to ask you to check this issue and take appropriate
> steps to secure the Portmapper services on the affected systems or
> notify your customers accordingly.
>
> If you have recently solved the issue but received this notification
> again, please note the timestamp included below. You should not
> receive any further notifications with timestamps after the issue
> has been solved.
>
> Additional information on this notification, advice on how to fix
> reported issues and answers to frequently asked questions:
> <https://reports.cert-bund.de/en/>
>
> This message is digitally signed using PGP.
> Information on the signature key is available at:
> <https://reports.cert-bund.de/en/digital-signature>
>
> Please note:
> This is an automatically generated message. Replies to the
> sender address <reports@reports.cert-bund.de> will NOT be read
> but silently be discarded. In case of questions, please contact
> <certbund@bsi.bund.de> and keep the ticket number [CB-Report#...]
> of this message in the subject line.
>
> Affected systems on your network:
>
> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | 5.75.134.122 | 2025-01-21 05:11:12 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
>
> Mit freundlichen Grüßen / Kind regards
> Team CERT-Bund
>
> Bundesamt für Sicherheit in der Informationstechnik
> Federal Office for Information Security (BSI)
> CERT-Bund
> Godesberger Allee 87, 53175 Bonn, Germany
Hetznerden Böyle Bir Mail Aldım Ne Yapmalıyım ?
7
●346
- 22-01-2025, 22:13:03Merhaba,
Bu mail sunucu kullanan herkese ( portlarını kapalı tutmayan herkese ) düzenli şekilde gönderiliyor. USOM'un almanyadaki eş değer kurumu yapıyor bu taramayı düzenli olarak bizede geliyor. Otomatik mesaj diye biliyorum. Destekten kontrol ve teyit alabilirsin.
İp adresini kaldırın
cReens adlı üyeden alıntı: mesajı görüntüle - 22-01-2025, 22:16:02Hayır bir alakası yok. Hetzner'den yeni bulut sunucu almış ve 111 TCP/UDP portu açık olan herkese bu mail gönderiliyor. Portları kapatın ve maile yanıt verin "sorun çözüldü" vb. şeklinde sorun olmayacaktır.cReens adlı üyeden alıntı: mesajı görüntüle
- 22-01-2025, 22:18:05proxy cpanel 111 i kullanıyor olabilir mi ? birde Vds sunucuma 1553 tane hatalı giriş olmuş farklı isimler bazıları root olarak bunlar cpanel ters lisans diye normal bişeymi saldırımı varMisafir adlı üyeden alıntı: mesajı görüntüle
- 22-01-2025, 23:11:28Merhaba,cReens adlı üyeden alıntı: mesajı görüntüle
Bu mesaj genel bir uyarı niteliğinde herkese iletilmektedir. Sizin veya sunucu içerisinde yaptığınız uygulamaların bağlantılı olduğu bir uyarı değil, hatta uyarı yerine bilgilendirme bile diyebileceğimiz cinsten bir maildir. Cevaplamadan silip geçebilirsiniz. - 22-01-2025, 23:33:16çinliler tarıyor hocam bütün sunucuları özellikle de hetznercReens adlı üyeden alıntı: mesajı görüntüle
müşteriye şifre değiştirmeyi gösterirken şifreyi 123456 yapmıştık ertesi gün sunucu hack yemiş 123456 olarak bıraktığı için
sonra kontrol ettik baktık ki bütün sunucular aslında bu tür istekler alıyor devamlı olarak
problem o değil ancak dediğiniz gibi 111 portunu kullanıyor olabilir kurdurduğunuz kişiye sormakta fayda var
