• 22-01-2025, 22:10:32
    #1
    We have received a notification from the German Federal Office for Information Security (BSI) for (the IP address of) a server you have with us. We are automatically forwarding this notification on to you, for your information.

    The original report has been included below. Additional information is provided with the how-to guides referenced in the report. Please note that we do not have any further information to share.

    These notifications do not mean your server was involved in any abusive activity. They are simply alerting you to a potential issue on your server, that could be exploited, and that is usually fairly easy to secure.

    You do not need to send us, or the BSI, a response.

    In case of further questions, please contact certbund@bsi.bund.de and keep the ticket number of the original report [CB-Report#...] in the subject line. Do not reply to <reports@reports.cert-bund.de> as this is just the sender address for the reports and messages sent to this address will not be read.

    Kind regards

    Abuse Team

    Hetzner Online GmbH
    Industriestr. 25
    91710 Gunzenhausen / Germany
    Tel: +49 9831 5050
    Fax: +49 9831 5053
    www.hetzner.com

    Register Court: Registergericht Ansbach, HRB 6089
    CEO: Martin Hetzner, Stephan Konvickova, Günther Müller

    You have the option of making an appeal against a negative decision.
    To do that, please reply directly to this ticket. If this is the Abuse
    Team’s final decision, you can also make a complaint by writing to
    info@hetzner.com. The European Commission also provides a
    platform that you can use as a platform for online dispute resolution
    (ODR) at http://ec.europa.eu/consumers/odr. We are neither willing
    nor required to participate in a dispute resolution process before a
    consumer arbitration board.

    For the purposes of this communication, we may save some of your
    personal data. For information on our data privacy policy, please see:
    www.hetzner.com/privacy-policy-notice

    > Dear Sir or Madam,
    >
    > the Portmapper service (portmap, rpcbind) is required for mapping RPC
    > requests to a network service. The Portmapper service is needed e.g.
    > for mounting network shares using the Network File System (NFS).
    > The Portmapper service runs on port 111 tcp/udp.
    >
    > In addition to being abused for DDoS reflection attacks, the
    > Portmapper service can be used by attackers to obtain information
    > on the target network like available RPC services or network shares.
    >
    > Over the past months, systems responding to Portmapper requests from
    > anywhere on the Internet have been increasingly abused DDoS reflection
    > attacks against third parties.
    >
    > Please find below a list of affected systems hosted on your network.
    > The timestamp (timezone UTC) indicates when the openly accessible
    > Portmapper service was identified.
    >
    > We would like to ask you to check this issue and take appropriate
    > steps to secure the Portmapper services on the affected systems or
    > notify your customers accordingly.
    >
    > If you have recently solved the issue but received this notification
    > again, please note the timestamp included below. You should not
    > receive any further notifications with timestamps after the issue
    > has been solved.
    >
    > Additional information on this notification, advice on how to fix
    > reported issues and answers to frequently asked questions:
    > <https://reports.cert-bund.de/en/>
    >
    > This message is digitally signed using PGP.
    > Information on the signature key is available at:
    > <https://reports.cert-bund.de/en/digital-signature>
    >
    > Please note:
    > This is an automatically generated message. Replies to the
    > sender address <reports@reports.cert-bund.de> will NOT be read
    > but silently be discarded. In case of questions, please contact
    > <certbund@bsi.bund.de> and keep the ticket number [CB-Report#...]
    > of this message in the subject line.
    >
    > Affected systems on your network:
    >
    > Format: ASN | IP | Timestamp (UTC) | RPC response
    > 24940 | 5.75.134.122 | 2025-01-21 05:11:12 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
    >
    > Mit freundlichen Grüßen / Kind regards
    > Team CERT-Bund
    >
    > Bundesamt für Sicherheit in der Informationstechnik
    > Federal Office for Information Security (BSI)
    > CERT-Bund
    > Godesberger Allee 87, 53175 Bonn, Germany
  • 22-01-2025, 22:11:25
    #2
    Selamlar,

    Sunucunuz üzerinden 111 TCP ve UDP portlarını kapatmanız gerekiyor. Sunucunuz için güvenlik açığıdır.

    Edit: Mesajda sunucu ip adresiniz yer alıyor, kaldırmanız sizin için faydalı olur hocam.
  • 22-01-2025, 22:13:03
    #3
    Merhaba,
    Bu mail sunucu kullanan herkese ( portlarını kapalı tutmayan herkese ) düzenli şekilde gönderiliyor. USOM'un almanyadaki eş değer kurumu yapıyor bu taramayı düzenli olarak bizede geliyor. Otomatik mesaj diye biliyorum. Destekten kontrol ve teyit alabilirsin.
    İp adresini kaldırın
    cReens adlı üyeden alıntı: mesajı görüntüle
    We have received a notification from the German Federal Office for Information Security (BSI) for (the IP address of) a server you have with us. We are automatically forwarding this notification on to you, for your information.

    The original report has been included below. Additional information is provided with the how-to guides referenced in the report. Please note that we do not have any further information to share.

    These notifications do not mean your server was involved in any abusive activity. They are simply alerting you to a potential issue on your server, that could be exploited, and that is usually fairly easy to secure.

    You do not need to send us, or the BSI, a response.

    In case of further questions, please contact certbund@bsi.bund.de and keep the ticket number of the original report [CB-Report#...] in the subject line. Do not reply to <reports@reports.cert-bund.de> as this is just the sender address for the reports and messages sent to this address will not be read.

    Kind regards

    Abuse Team

    Hetzner Online GmbH
    Industriestr. 25
    91710 Gunzenhausen / Germany
    Tel: +49 9831 5050
    Fax: +49 9831 5053
    www.hetzner.com

    Register Court: Registergericht Ansbach, HRB 6089
    CEO: Martin Hetzner, Stephan Konvickova, Günther Müller

    You have the option of making an appeal against a negative decision.
    To do that, please reply directly to this ticket. If this is the Abuse
    Team’s final decision, you can also make a complaint by writing to
    info@hetzner.com. The European Commission also provides a
    platform that you can use as a platform for online dispute resolution
    (ODR) at http://ec.europa.eu/consumers/odr. We are neither willing
    nor required to participate in a dispute resolution process before a
    consumer arbitration board.

    For the purposes of this communication, we may save some of your
    personal data. For information on our data privacy policy, please see:
    www.hetzner.com/privacy-policy-notice

    > Dear Sir or Madam,
    >
    > the Portmapper service (portmap, rpcbind) is required for mapping RPC
    > requests to a network service. The Portmapper service is needed e.g.
    > for mounting network shares using the Network File System (NFS).
    > The Portmapper service runs on port 111 tcp/udp.
    >
    > In addition to being abused for DDoS reflection attacks, the
    > Portmapper service can be used by attackers to obtain information
    > on the target network like available RPC services or network shares.
    >
    > Over the past months, systems responding to Portmapper requests from
    > anywhere on the Internet have been increasingly abused DDoS reflection
    > attacks against third parties.
    >
    > Please find below a list of affected systems hosted on your network.
    > The timestamp (timezone UTC) indicates when the openly accessible
    > Portmapper service was identified.
    >
    > We would like to ask you to check this issue and take appropriate
    > steps to secure the Portmapper services on the affected systems or
    > notify your customers accordingly.
    >
    > If you have recently solved the issue but received this notification
    > again, please note the timestamp included below. You should not
    > receive any further notifications with timestamps after the issue
    > has been solved.
    >
    > Additional information on this notification, advice on how to fix
    > reported issues and answers to frequently asked questions:
    > <https://reports.cert-bund.de/en/>
    >
    > This message is digitally signed using PGP.
    > Information on the signature key is available at:
    > <https://reports.cert-bund.de/en/digital-signature>
    >
    > Please note:
    > This is an automatically generated message. Replies to the
    > sender address <reports@reports.cert-bund.de> will NOT be read
    > but silently be discarded. In case of questions, please contact
    > <certbund@bsi.bund.de> and keep the ticket number [CB-Report#...]
    > of this message in the subject line.
    >
    > Affected systems on your network:
    >
    > Format: ASN | IP | Timestamp (UTC) | RPC response
    > 24940 | 5.75.134.122 | 2025-01-21 05:11:12 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
    >
    > Mit freundlichen Grüßen / Kind regards
    > Team CERT-Bund
    >
    > Bundesamt für Sicherheit in der Informationstechnik
    > Federal Office for Information Security (BSI)
    > CERT-Bund
    > Godesberger Allee 87, 53175 Bonn, Germany
  • 22-01-2025, 22:13:58
    #4
    Proxy Cpanel kullanıyorum onla ilgili olabilirmi Hetznerde yasakmı acaba
  • 22-01-2025, 22:16:02
    #5
    cReens adlı üyeden alıntı: mesajı görüntüle
    Proxy Cpanel kullanıyorum onla ilgili olabilirmi Hetznerde yasakmı acaba
    Hayır bir alakası yok. Hetzner'den yeni bulut sunucu almış ve 111 TCP/UDP portu açık olan herkese bu mail gönderiliyor. Portları kapatın ve maile yanıt verin "sorun çözüldü" vb. şeklinde sorun olmayacaktır.
  • 22-01-2025, 22:18:05
    #6
    Misafir adlı üyeden alıntı: mesajı görüntüle
    Hayır bir alakası yok. Hetzner'den yeni bulut sunucu almış ve 111 TCP/UDP portu açık olan herkese bu mail gönderiliyor. Portları kapatın ve maile yanıt verin "sorun çözüldü" vb. şeklinde sorun olmayacaktır.
    proxy cpanel 111 i kullanıyor olabilir mi ? birde Vds sunucuma 1553 tane hatalı giriş olmuş farklı isimler bazıları root olarak bunlar cpanel ters lisans diye normal bişeymi saldırımı var
  • 22-01-2025, 23:11:28
    #7
    cReens adlı üyeden alıntı: mesajı görüntüle
    proxy cpanel 111 i kullanıyor olabilir mi ? birde Vds sunucuma 1553 tane hatalı giriş olmuş farklı isimler bazıları root olarak bunlar cpanel ters lisans diye normal bişeymi saldırımı var
    Merhaba,

    Bu mesaj genel bir uyarı niteliğinde herkese iletilmektedir. Sizin veya sunucu içerisinde yaptığınız uygulamaların bağlantılı olduğu bir uyarı değil, hatta uyarı yerine bilgilendirme bile diyebileceğimiz cinsten bir maildir. Cevaplamadan silip geçebilirsiniz.
  • 22-01-2025, 23:33:16
    #8
    cReens adlı üyeden alıntı: mesajı görüntüle
    proxy cpanel 111 i kullanıyor olabilir mi ? birde Vds sunucuma 1553 tane hatalı giriş olmuş farklı isimler bazıları root olarak bunlar cpanel ters lisans diye normal bişeymi saldırımı var
    çinliler tarıyor hocam bütün sunucuları özellikle de hetzner
    müşteriye şifre değiştirmeyi gösterirken şifreyi 123456 yapmıştık ertesi gün sunucu hack yemiş 123456 olarak bıraktığı için

    sonra kontrol ettik baktık ki bütün sunucular aslında bu tür istekler alıyor devamlı olarak

    problem o değil ancak dediğiniz gibi 111 portunu kullanıyor olabilir kurdurduğunuz kişiye sormakta fayda var