Playray

Dear Sir or Madam,

We have received spam/abuse notification. Please take the necessary
steps to prevent this from happening again in future.

Furthermore, we would request that you provide both ourselves and the
person who has submitted this complaint with a short statement within
24 hours. This statement should include details of the events leading
up to the incident and the steps you are taking to deal with it.

Next steps:
- Solve the problem
- Send your statement to us: Please use the following link for this: http://abuse.hetzner.de/statements/?token=1502ef094a939bad254ae2421f87279f47
- Send your statement to the person making the complaint per email

The details will then be checked by a colleague, who will coordinate
further proceedings. In the event of several complaints, this may
lead to the server being locked.

Important information:
When replying to us, please leave the Abuse ID [AbuseID:0A72F1:26] in
the subject line unchanged.


Kind regards,

Sandra Betz

Hetzner Online AG
Stuttgarter Straße 1
91710 Gunzenhausen
Tel: + 49 (0)9831 610061
Fax: + 49 (0)9831 61006-2
abuse@hetzner.de
www.hetzner.com

Register Court: Registergericht Ansbach, HRB 3204
Management Board: Dipl. Ing. (FH) Martin Hetzner
Chairwoman of the Supervisory Board: Diana Rothhan


----- BKA Letter -----


Dear Sir or Madam,

With the warnings listed in the subject line above, you have been
informed by the BSI (German Federal Office for Information Security)
that one (or possibly more) of the servers hosted by you has/have been
part of a massive compromise.

The technical details, guidelines for determining and eliminating the
suspected malware can be found in the original warning alerts from the
BSI.

With this letter, the BKA (German Federal Criminal Police Office) would
like to inform you that you or, if applicable, the client of the
affected server, is/are a victim of criminal activity given the current
situation in accordance with German Criminal Code Section 202a (Data
espionage) and Section 303a (Data tampering).

In relation to this issue, the BKA has, under the direction of the
Attorney General in Frankfurt am Main, Zentralstelle zur Bekämpfung der
Internet-Kriminalität (ZIT) (Central Office for Combating Cyber Crime),
reference UJS 60 50019/13 ZIT, initiated proceedings against Unknown.
If, in this context, you or your client have in fact become victims of
Data espionage (Section 202a of the German Criminal Code) and Data
tampering (Section 303a of the German Criminal Code) then it is
recommended that you lodge a criminal complaint.

To avoid unnecessary work, the criminal complaint can be filled in on
the attached form and sent directly to the BKA. PLEASE be SURE to enter
the IP ADDRESS assigned to the server that has been affected!!!

In the event that the affected server is not managed by you, but by a
client (eg. a dedicated root server), you are asked to forward this
information as well as the warning alert from the BSI to the affected
client.

In all other cases, completing and submitting the criminal complaint to
the BKA is your own responsibility.

Yours faithfully

This letter was issued and sent electronically. It is therefore valid
without a handwritten signature.


----- Criminal Complaint Form -----


ADDRESS: BKA, Thaerstraße 11, 65193 Wiesbaden, Germany
REMITTEE: Bundeskasse Trier
BANK ACCOUNT: Deutsche Bundesbank
Filiale Saarbrücken (BBk Saarbrücken)
BIC MARKDEF1590
IBAN DE81 5900 0000 0059 0010 20

To the
German Federal Criminal Police Office (Bundeskriminalamt)
SO41
65173 Wiesbaden
Criminal Complaint (reference SO E 015/2013)

I am lodging a criminal complaint for all legal reasons.

.......................................
(Place, Date, Signature)

Last Name, First Name, Date of Birth (in block letters)

.......................................

I am authorized to make this decision for the following company

Name of the company that runs the server (for persons who act on their
own account, please enter the postal home address)

.....................................

If applicable: Name of the company (provider) from which the server is
rented

.....................................

Information pertaining to the case

Which server is affected (specify the IP address(es))

.....................................

Which malware has been found on the server (name the file and the
location, description of conspicuous behaviour, e.g. the sending of data
packets over UDP port 53)

........................................................................

To ensure the case is successfully resolved, the above information is
required. Please complete the criminal complaint, personally sign it and
return it to the address mentioned above.


----- BSI Warning Email -----


Dear Sir or Madam

The BSI (German Federal Office for Information Security) has information
that it is very probable that the following servers have been part of a
massive compromise. The SSH rootkit used in the compromise spies out
access data (including SSH keys) and sends spam. However, it is possible
that the servers which have been affected could be abused for further
purposes.

The servers affected are:

85.10.21x.xxx

Attack vector:

The vector of attack is not yet known. At present, the outflow of access
data (user name/passord and SSH key) from administrative workstations is
presumed. However, a compromise via a 0-day in the server software
deployed cannot be ruled out. Rumour has it that it could be to do with
the exploitation of a vulnerability in Exim, through which attackers
acquire user rights in order to then exploit a local privilege escalation
vulnerability in SSH to attain administrative access. Moreover, a
connection with a cPanel support server compromise is suspected and that
clients could be affected who have had cPanel support work performed for
them from this server.

Symptoms:

Up to now, the compromise shows the following files

libkeyutils.so.1.9 oder libkeyutils-1.2.so.2

available in the directories

/lib64/ oder /lib/ [1].

Analysis of the rootkit showed that it tries to connect to random
generated domains with 11 and 15 letters or numbers and the TLDs .biz,
.info and .net.

Furthermore, the rootkit uses "shared memory" [2] for internal
communication. Should entries appear for the results of the following
command, which are assigned to the user SSHD, then a compromise is very
likely.

ipcs -mp

Systems with RPM package administration can ascertain whether or not
they are affected by performing package analysis using the following
command:

rpm -Vv keyutils-libs

If at the start of the output a line appears with letters or numbers
instead of "........" (s.[2]), a manipulated library is being used by
the system. Package analysis can be performed on Debian systems by using
the following command:

debsums libkeyutils1

An "OK" should appear next to all library names on systems which have
not been manipulated.

We would therefore kindly request that you examine the situation and
take appropriate measures, where necessary.

Your feedback on this matter would be very much appreciated, especially
if, in the course of evaluating logfiles, you should acquire knowledge
of which vulnerability the attacker has exploited.

DanSol:
Playray, 1and1.com/linux-web-hosting