Hacking into Mysql and data encryption

[MichalK73]

Hello.

My server was hacked into Mysql tonight. The databases have been downloaded and information has been left as the new database "PLEASE_READ_ME_XMG" in it, the table "WARNING" and entry one:
"To recover your lost Database and avoid leaking it: Send us 0.06 Bitcoin (BTC) to our Bitcoin address xxxxYhxUDxmxxxxxxxxxxxxxxxx and contact us by Email with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data , contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. Backups that we have right now: xxxxx, classicmodels, xxxxxx. If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise. "

email address "[email protected]"
Fortunately, this is my test server where I test working applications and there was no data important for me. Trash in general.
In addition, I noticed the creation of a new Mysql user "mysqlbackups" with permissions "Select table data | Insert table data | Update table data | Delete table data | Create tables | Drop tables | Reload grants | Shutdown database | Manage processes | File operations | Reference operations | Manage indexes | Alter tables | Show databases | Superuser | Create temp tables | Lock tables | Execute | Slave replication | Client replication | Create View | Show View | Create Routine | Alter Routine | Create User | Create Event | Create Trigger | Create Tablespace "

After the logs, the hack came from the RU.

Well, I forgot to change the default port for Mysql and disable all database users who have external access instead of letting them through the SSH tunnel.

Have you had such cases at home?
What do you think about all this?

 

[Sandman]

What do you think about all this?

Not much to think about it, really. You messed up, and now there's pain.

In my opinion, this is what you should do:

1. Notify the authorities about the data breach in accordance with GDPR. I don't know what the correct authority is in Poland, but I assume that Google will be able to help you find them.
2. Depending on what kind of data you had on the database you might be required to inform your users about the hack.
3. Assume that the database server, and all other servers on the LAN, is compromised. Take them all offline and turn them off, and do fresh installs one by one (so that nobody on the LAN can do something with automatically with the freshly installed server) before turning the next one on. Do not make them available on the internet yet.
4. Restore the database using your database backup.
5. Restore rest of the servers using their backups.
6. Inspect the database to see if there's any stored procedures or anything that could be planted to grant access again.
7. Ensure you have enforced good security policies regarding keys, ports, passwords etc.
8. Make the servers available on the net again.
9. At this point you might be safe, it's not really possible to say for sure though. Depending on your setup and situation, you might have restored a backdoor in one of the backups. You will need to apply a lot of attention to your servers for a while before trusting them.

There's a lot of information online about all this, here's just one page I found for you: https://www.gdprdecoded.com/gdpr-guide/gdpr-data-breaches

Oh, it's barely worth mentioning, but actually paying the hackers will not help you in any way. You should assume they will return shortly for another ransom situation.

 

[MichalK73]

As I wrote, it was only my test server with no important, sensitive data etc.
So there is no need for any action, I will not pay anything. There are application test garbage.

I wonder more how they got into the database. I do not see a violation of the entire Linux VPS system. As a service is only Apache without PHP. I don't have any FTP, php-admin only SSH, after which I connect to SFTP. Only 3 ABMaterial test servers work there that connect to mariadb. It seems to me that I made a mistake in art somewhere at the interface between the internet and the database. Users outside are after password authorization and I managed to set up an additional user in mariadb.

Any suggestions on how to avoid this again?

 

[Alexander Stolte]

Any suggestions on how to avoid this again?

Use a better password? ?

 

[MichalK73]

Simple it wasn't a password ?

 

[sorex]

I wonder more how they got into the database. I do not see a violation of the entire Linux VPS system.

sql injection?

are you sending over full queries?

 

[MichalK73]

Rather not possible sql injection.
I don't send any sql queries, everything goes through DBMUtils on the ABMaterial server. So all queries are done on the server side.

Now I've additionally created mariadb users who can connect locally from the server. There aren't any who can connect remotely. I changed that the connection from outside passes through the SSH tunnel which works on a different port than the standard one.

 

[Brandsum]

Check if your MySQL server is running in safe mode or not. It happened to me too few weeks ago. Got the same bitcoin message. In my case it was a live site.

 

[Brandsum]

And always use SSH key authentication instead of password.

 

[Alexander Stolte]

MySQL server is running in safe mode or not.

is this by default on by MySQL?

 

[LucaMs]

is this by default on by MySQL?

By default... nothing is safe, on Internet ?

 

[Alexander Stolte]

By default.

is this the answer or not? ?

 

[LucaMs]

is this the answer or not? ?

Surely not; I don't know, but I suppose you're right, it should be set by default.

 

[Alexander Stolte]

I also think I just remembered that in the past I had to turn it off to do a specific query.
I'm using PostgreSQL for now.

 

[Brandsum]

is this by default on by MySQL?

No. To change the root password (if you forgot the old one) you have to run the server in safe mode. So after changing the password, you have to restart the server in normal mode.

Though it might not be the only reason.

 

[Brandsum]

Via SQL query one can also create a php file in your public folder and access your files via that. So its better not to use a database remotely unless and until its a server to server connection. If its a server to client connection I always prefer to use an API instead of a remote connection. I use the Laravel Framework to build my own API / web service for my apps. Its easy and secure (even in a shared server).

 

[MichalK73]

It happened to me too few weeks ago

Did you find the cause that caused you the same hack?

Got the same bitcoin message. In my case it was a live site.

How did it end with you? I read the mention in the network that they don't really have a copy of the data but they do "Drop Database" right away.

 

[MichalK73]

I'm using PostgreSQL for now.

Right now I'm considering switching to PostgreSQL. I used to sit in it, but it was over 10 years ago.

 

[Brandsum]

Did you find the cause that caused you the same hack?

In my case it was hacked from phpmyadmin. In safe mode, you can login without any password.

 

[MichalK73]

I don't even have php, let alone phpadmin. I didn't have a server in safe mode. I only have ABMaterial servers.
Did you also have an additional mysql user with all permissions?