received take down request for test.mailu.io

[muhlemmer]

Hi guys. You didn't hear from me in some years now, but unfortunately I have some bad and urgent news. I've received notice that the demo server has somehow became victim of a botnet. I once donated this small VM to the community years ago and I am still renting it. Access was granted (and used) by a number of contributors in the ./ssh directory, but I haven't actively maintained the server in terms of updates.

I'm also not sure if the host is compromised or if the mail server is used to send spam mail. The latter shouldn't be possible because I remember we were sure to break the outgoing network capabilities of the smtp container. But then again, I don't know what changed over the years.

Abuse mail

Dear Mr Tim Mohlmann,

We have received an abuse report from [remediation-team@spamhaus.org](mailto:remediation-team@spamhaus.org).

We are automatically forwarding this complaint on to you, for your information. You do not need to respond, but we do expect you to check the report and to resolve any (potential) issues.

Information:

-----
Good morning/afternoon

Recently, Qakbot botnet infrastructure was taken down[1]. Spamhaus is
working with various law enforcement agencies to help remediate
compromised email accounts[2]. We are contacting you because we believe
that Qakbot may have compromised email accounts located on
hetzner.com's network.

What action do you need to take?

- A list of email accounts that we think are affected on
hetzner.com's network is available below.
- The only action required is to change the passwords for all the affected
accounts.
- This is urgent - please do this as quickly as possible. These breached
accounts may have been shared with other criminals for use with
different active botnets for malicious purposes.

See also:
https://www.spamhaus.org/qakbot/


How has this data been compiled?

- The law enforcement agencies have made available the compromised email
account/addresses to Spamhaus.
- Using this data, we have obtained the primary MX record for the
compromised account's domain and the network responsible for the MX's
IP. We hope this network can directly or indirectly assist in these
remediation efforts.


Thank you for your time and willingness to help!


[1] https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown
[2] https://www.spamhaus.org/news/article/819/qakbot-the-takedown-and-the-remediation


ip, hostname, email

78.47.92.244,test.mailu.io,[admin@test.mailu.io](mailto:admin@test.mailu.io)

-----

Please note again that this is a notification only, you do not need to respond.

Kind regards

Abuse Team

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 505-0
Fax: +49 9831 505-3
[abuse@hetzner.com](mailto:abuse@hetzner.com)
www.hetzner.com

Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller

For the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: www.hetzner.com/datenschutzhinweis

As immediate action, I have docker-compose down on the demo server in /opt/infra/demo and disable all cron jobs in /etc/crontab to prevent it from coming up again.

If there is someone around that can investigate further and post back here that would be great.

[ghostwheel42]

Hi, thanks for sharing this.
The notification is about the password of admin@test.mailu.io being part of a list of addresses and passwords.
Nothing has been done with test.mailu.io - as you wrote, even with the correct password you can't do sending on this server.
The message can be safely ignored and the service can continue running.
If you want someone else to run the demo I think we can organize this via matrix or at the next meeting.
Alex

[Diman0]

To be safe, I suggest we follow the recommended solution and change the password of the email account.
Even though no email can be send, then we at least have followed the recommendation.

[muhlemmer]

Thanks for the quick answers!

If you want someone else to run the demo

That won't be directly necessary. It's just that Hetzner tends to become difficult to deal with if their security warnings go un-handled. I guess you will have the same issue sooner and later if you move the server elsewhere.

The notification is about the password of admin@test.mailu.io being part of a list of addresses and passwords.

That makes sense yes.

as you wrote, even with the correct password you can't do sending on this server.

I would just like to double-check that. Once we put the demo services up again.

To be safe, I suggest we follow the recommended solution and change the password of the email account.

Yes, we should do that. Perhaps make it less machine-parsable would help so that bots don't pick up on it. Perhaps old-school inline image or a small riddle like "the second word of the Mailu slogan (see logo)).

---

On a side note, and mentioned in the above issue, I never did maintenance on the server in the last years. Probably it's better to just reinstall the VM with the latest ubuntu and Docker and bring services up again. Everything needed for that is already contained in this repo anyway. Shouldn't take me more than 20 minutes. I can probably do that over the weekend.

[muhlemmer]

I will also try to see if I can still access my matrix account somewhere tonight or tomorrow. Makes discussing easier I guess.

[Diman0]

Instead up putting up a new VM we can also do a distro upgrade. Should be a matter of do-release-upgrade

[Diman0]

VM has been upgraded to Ubuntu 22.04 and a pull request is available to change the password.