Hetzner server is network scanning. have I been hacked? | PlexGuide.com

Hetzner server is network scanning. have I been hacked?

  • Stop using Chrome! Download the Brave Browser via >>> [Brave.com]
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the PlexGuide.com
Serving the Community since 2016!
Register Now

Quessel

Citizen
Original poster
Mar 1, 2018
7
2
I have over the last couple of days recieved warnings from Hetzner, and they have finally closed my server down for network abuse.

I have recently seen this when DLNA or CDA in Plex was turned on, but it is not the case this time.

I'm worried that my server was hacked, i'm not using traefik, and some ports have been open to allow plex to work. However my password is pretty strong.

Message from Hetzner:

time protocol src_ip src_port dest_ip dest_port
---------------------------------------------------------------------------
Sat Apr 27 16:21:34 2019 TCP x.x.x.x 57661 => x.x.x.x 8181
Sat Apr 27 16:21:34 2019 TCP x.x.x.x 64812 => x.x.x.x 8181
Sat Apr 27 16:21:34 2019 TCP x.x.x.x 58284 => x.x.x.x 8181
Sat Apr 27 16:21:34 2019 TCP x.x.x.x 61804 => x.x.x.x 8181

Other day

> time protocol src_ip src_port dest_ip dest_port
> ---------------------------------------------------------------------------
> Fri Apr 26 20:16:01 2019 TCP x.x.x.x 36031 => x.x.x.x 8083
> Fri Apr 26 20:16:01 2019 TCP x.x.x.x 49560 => x.x.x.x 8083
> Fri Apr 26 20:16:01 2019 TCP x.x.x.x 49082 => x.x.x.x 8083
> Fri Apr 26 20:16:01 2019 TCP x.x.x.x 46109 => x.x.x.x 8083

I did not see what excatly happed, but I checked the CPU and saw that something was writing to a result.csv file. However when I checked the server there was no result.csv file. The processes was run by a "nobody" user

Have I been hacked, or is something creating stupid network requests? My linux skills are very limited, and I want to make sure before i request for the server to be opened again.

Thank you in advance
 
M

MrDoob

Guest
So first >>

Port 8181 >>
Tautulli
8181​
8181​

Port 8083 we dont use ^^

Next >

Do you use PGShield *?*
Why you dont use Treafik *?*
Do you close the ports *?*
Ssh keys *?*

So you have made more then one mistake.
 
M

MrDoob

Guest
DLNA is for Plex Remote not configured.
We remove the DLNA port from the Plex.yml.
So that's not the problem..

Please give more infos about the Server.

Dedicated or Cloud

I use hetzner also ; and I push and stream so much over this server .
And hetzner dont scanning servers.
 

Quessel

Citizen
Original poster
Mar 1, 2018
7
2
I am using SSH keys,
Ports are closed using Hetzner firewall, only 32400 and 22 are open. 22 only from my IP.
Treafik, I would love to use, but it seems very complicated to a non linux admin.
PGShield is not installed
 
M

MrDoob

Guest
The hetzner firewall is pretty bullshit.

Dont touch this. Never made any changes on this part .

You create your own abuse.
 

Quessel

Citizen
Original poster
Mar 1, 2018
7
2
I don't understand- I create my own abuse? The external ip's i'm connecting to are exterlal. should have been xxxx - yyyy
 
M

MrDoob

Guest
If you change or edit the firewall from hetzner,

All closed , so nothing can speak out and nothing in .

Closed the door and leave the window open ,, the same


You kill your own server self. You are not hacked,


Next step!!!

Reopen the server !!
Remove the Os
Made an clean new install !!
Delete all changes on the Hetzner Firewall ( and don't touch it later !! )
Use Treafik !
Close the ports over PG only !
Use PGSHIELD !!

And now you can run so long you want!!
 
  • Like
Reactions: 1 user

Xployt

Administrator
Project Manager
Donor
Donor
Sep 26, 2018
215
91
I am using SSH keys,
Ports are closed using Hetzner firewall, only 32400 and 22 are open. 22 only from my IP.
Treafik, I would love to use, but it seems very complicated to a non linux admin.
PGShield is not installed
Traefik has been implemented very well with PGBlitz. I am currently with CloudFlare and the setup is really easy, even if you get stuck the community is always willing to help.
There's also a great walk through here if you decide to go with them:
 
  • Like
Reactions: 1 user

Quessel

Citizen
Original poster
Mar 1, 2018
7
2
thank you. i think you are right, a new installation is in place.
 
  • Like
Reactions: 1 users

Admin9705

Administrator
Project Manager
Donor
Jan 17, 2018
5,156
2,117
Good luck!
 

Quessel

Citizen
Original poster
Mar 1, 2018
7
2
I have now been able to deploy traefik. But after every time i loose root rights

I can still log in with my created user, but root password no longer works

All sudo commands returns

**** is not in the sudoers file. This incident will be reported

This has happened three times. Complete reinstallations of Ubuntu 18.04 minimal with all updates.

I saw something strange, that I loose connection after 5 minutes inactivity. This did not happen before, but might be something from an update.

( password was changed just in case I was hacked )
 
M

MrDoob

Guest
So first.
Little bit stupid .

So you are not hacked!!

1.) Open terminal ( putty : login as your user )
2.) typ " su "
3.) Past the root pw !!

4) past each command !! Dont edit anything!!

4.1.) sudo usermod -aG sudo $(grep "1000" /etc/passwd | cut -d: -f1 | awk '{print $1}')

4.2) sudo usermod -s /bin/bash $(grep "1000" /etc/passwd | cut -d: -f1 | awk '{print $1}')

5.) Open a new terminal with your username ( don't closed the first one )

6.) sudo apt-get update

7.) Now you must typ your ^^ user pw ^^

8.) Well done all is good !!

9.) Close the first one now.
 
Last edited by a moderator:

Quessel

Citizen
Original poster
Mar 1, 2018
7
2
thank you guide worked.

How big of a deal is PGShield? I have problems since i use two domains, one for Gdrive, and another for Traefik. This causes some problems on google API since it specifies that it can take weeks to get approved additional records.

I only use server for Plex. no torrenting or newsbin, I have a seperate seedbox for that. As far as I can see plex is not validated through PGShield.
 
M

MrDoob

Guest
Please read this here

 

Recommend NewsGroups

      Up To a 58% Discount!

Trending