Hacking into Mysql and data encryption

MichalK73

Well-Known Member
Licensed User
Longtime User
Hello.

My server was hacked into Mysql tonight. The databases have been downloaded and information has been left as the new database "PLEASE_READ_ME_XMG" in it, the table "WARNING" and entry one:
"To recover your lost Database and avoid leaking it: Send us 0.06 Bitcoin (BTC) to our Bitcoin address xxxxYhxUDxmxxxxxxxxxxxxxxxx and contact us by Email with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data , contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. Backups that we have right now: xxxxx, classicmodels, xxxxxx. If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise. "

email address "contact@sqldb.to"
Fortunately, this is my test server where I test working applications and there was no data important for me. Trash in general.
In addition, I noticed the creation of a new Mysql user "mysqlbackups" with permissions "Select table data | Insert table data | Update table data | Delete table data | Create tables | Drop tables | Reload grants | Shutdown database | Manage processes | File operations | Reference operations | Manage indexes | Alter tables | Show databases | Superuser | Create temp tables | Lock tables | Execute | Slave replication | Client replication | Create View | Show View | Create Routine | Alter Routine | Create User | Create Event | Create Trigger | Create Tablespace "

After the logs, the hack came from the RU.

Well, I forgot to change the default port for Mysql and disable all database users who have external access instead of letting them through the SSH tunnel.

Have you had such cases at home?
What do you think about all this?
 

Sandman

Expert
Licensed User
Longtime User
MichalK73 said:
What do you think about all this?
Click to expand...
Not much to think about it, really. You messed up, and now there's pain.

In my opinion, this is what you should do:
  1. Notify the authorities about the data breach in accordance with GDPR. I don't know what the correct authority is in Poland, but I assume that Google will be able to help you find them.
  2. Depending on what kind of data you had on the database you might be required to inform your users about the hack.
  3. Assume that the database server, and all other servers on the LAN, is compromised. Take them all offline and turn them off, and do fresh installs one by one (so that nobody on the LAN can do something with automatically with the freshly installed server) before turning the next one on. Do not make them available on the internet yet.
  4. Restore the database using your database backup.
  5. Restore rest of the servers using their backups.
  6. Inspect the database to see if there's any stored procedures or anything that could be planted to grant access again.
  7. Ensure you have enforced good security policies regarding keys, ports, passwords etc.
  8. Make the servers available on the net again.
  9. At this point you might be safe, it's not really possible to say for sure though. Depending on your setup and situation, you might have restored a backdoor in one of the backups. You will need to apply a lot of attention to your servers for a while before trusting them.
There's a lot of information online about all this, here's just one page I found for you: https://www.gdprdecoded.com/gdpr-guide/gdpr-data-breaches

Oh, it's barely worth mentioning, but actually paying the hackers will not help you in any way. You should assume they will return shortly for another ransom situation.
 

MichalK73

Well-Known Member
Licensed User
Longtime User
As I wrote, it was only my test server with no important, sensitive data etc.
So there is no need for any action, I will not pay anything. There are application test garbage.

I wonder more how they got into the database. I do not see a violation of the entire Linux VPS system. As a service is only Apache without PHP. I don't have any FTP, php-admin only SSH, after which I connect to SFTP. Only 3 ABMaterial test servers work there that connect to mariadb. It seems to me that I made a mistake in art somewhere at the interface between the internet and the database. Users outside are after password authorization and I managed to set up an additional user in mariadb.

Any suggestions on how to avoid this again?
 

MichalK73

Well-Known Member
Licensed User
Longtime User
Rather not possible sql injection.
I don't send any sql queries, everything goes through DBMUtils on the ABMaterial server. So all queries are done on the server side.

Now I've additionally created mariadb users who can connect locally from the server. There aren't any who can connect remotely. I changed that the connection from outside passes through the SSH tunnel which works on a different port than the standard one.
 

Brandsum

Well-Known Member
Licensed User
Check if your MySQL server is running in safe mode or not. It happened to me too few weeks ago. Got the same bitcoin message. In my case it was a live site.
 

Brandsum

Well-Known Member
Licensed User
Via SQL query one can also create a php file in your public folder and access your files via that. So its better not to use a database remotely unless and until its a server to server connection. If its a server to client connection I always prefer to use an API instead of a remote connection. I use the Laravel Framework to build my own API / web service for my apps. Its easy and secure (even in a shared server).
 

MichalK73

Well-Known Member
Licensed User
Longtime User
I don't even have php, let alone phpadmin. I didn't have a server in safe mode. I only have ABMaterial servers.
Did you also have an additional mysql user with all permissions?
 
You must log in or register to reply here.
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…