Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Got Hacked | MySQL Database being held for ransom, any mitigation ?
New on LowEndTalk? Please Register and read our Community Rules.

Got Hacked | MySQL Database being held for ransom, any mitigation ?

LisoLiso Member
edited August 4 in General

Just today, I found this when I checked our office database, apparently we got hacked.

mysql> select * from README\G
*************************** 1. row ***************************
         id: 1
     readme: To recover your lost Database send 0.017 Bitcoin (BTC) to our Bitcoin address: ******************  After this, contact us by email with your Server IP or Domain Name and a Proof of Payment (Payment ID). Your Database is downloaded and backed up on our servers. Backups that we have right now: (my db list). Any email without your server IP Address or Domain Name and a Proof of Payment together will be ignored. If we dont receive your payment in the next 10 Days, we will delete or leak your sensitive information.
BTC_address: ************************************
      email: db*****0*@***mail.com
1 row in set (0.00 sec)

Luckily I have setup a db backup system, and I can easily restore to known good state. Our webapp on /var/www seems not affected though, but I'd be a fool to trust this machine now.


Is there any mitigation to lessen the risk of this happening, this is my first time getting mysql hacked, I suspect the hacker got access from some kind remote exploit using php, I've check ssh log and found nothing unusual— the server have fail2ban setup and it is working properly.

Thanked by 1Logano

Comments

  • @Liso said: hacker got access from some kind remote exploit using php, I've check ssh log and found nothing unusual

    do you have selinux installed and enabled ?

    Thanked by 1Logano
  • jarjar Member, Patron Provider
    edited August 4

    No one ever really exploits the PHP interpreter but PHP code itself. Your access logs may give some insight into what started the event. The best way to react is to find and fix the code.

    I always start with a grep for POST requests and start looking there. Bonus points if you can isolate a time frame.

  • LisoLiso Member

    @shyaminayesh said:

    @Liso said: hacker got access from some kind remote exploit using php, I've check ssh log and found nothing unusual

    do you have selinux installed and enabled ?

    Nope, selinux is not installed.

    Thanked by 1Logano
  • @Liso said: Nope, selinux is not installed.

    You can try installing selinux to prevent them from exploiting PHP and then going against other installed applications.

    I also recomand you to install MySQL in a different server inside in a totally isolated private network exposing the MySQL port to application server inside in the private network. ( This is how most of my setup's going on right now )

    Thanked by 1Logano
  • @jar said: The best way to react is to find and fix the code.

    This is the best solution.

    Thanked by 4jar Hxxx Logano yoursunny
    1. Is your MySQL database somehow exposed to the internet directly with a weak password? Shodan is your friend.
    2. Look at your webserver logs to look for requests to vulnerable endpoints with SQL injection, file uploads or another vulnerability. Also look at a disk image of the server to find any artifacts such as webshells that they might have left.
    3. SELinux is overrated. Depending on what your app needs, use systemd hardening practices to prevent it from making unnecessary network calls and restrict filesystem access.
  • DonkeyDonkey Member

    Happened to me once , i used copy paste password from a tutorial 🤣

    Thanked by 1kkrajk
  • HxxxHxxx Member
    edited August 4

    Also another thing to consider is:
    Now that your DB is leaked in theory...
    Do you have userS credentials stored? Are they hashed properly? Is the hashing algo strong? Salted, etc... ?

    That should also be a priority. If userS (note the plural) info is involved, make sure to follow your local authorities procedures and obligations (if any) and inform those users. Users should be informed so that they can self analyze their risk.

    Thanked by 2stevewatson301 jsg
  • aliletalilet Member

    Can you connect to your MySQL remotely or have you disabled that feature?

  • DonkeyDonkey Member

    @alilet said:
    Can you connect to your MySQL remotely or have you disabled that feature?

    most likely site.com/pma/ or /phpmyadmin/

  • gzzgzz Member

    That is just an automated bot.

    Your mysql password was 100% root:root or something it could guess. From my experience those attacks just delete everything and then make a note hoping for people to send money.

  • LTnigerLTniger Member
    edited August 4

    The best thing in this case would identify the hole which needs to be plugged. For this, order fully managed server from reputable provider. Few recommendations:

    https://www.liquidweb.com/products/dedicated/
    https://www.rackspace.com/managed-hosting

    Another good solution would be to get specialized services as managed database (AWS, Google, MS).

    This will eliminate huge hole with miss-managed server and you can focus on potential problems at software side. Of course if you host code which does not generate at least million per day - than do whatever...

  • LisoLiso Member

    @stevewatson301 said:
    1. Is your MySQL database somehow exposed to the internet directly with a weak password? Shodan is your friend.

    Yes, it used to listen to localhost only— the connection was performed through ssh tunnel. But this setup preventing me from doing MySQL replication, now it is set to listen to all address.

  • _cece_cece Member
    edited August 4

    @Liso said:

    @stevewatson301 said:
    1. Is your MySQL database somehow exposed to the internet directly with a weak password? Shodan is your friend.

    Yes, it used to listen to localhost only— the connection was performed through ssh tunnel. But this setup preventing me from doing MySQL replication, now it is set to listen to all address.

    The replication should be done over a trusted network only. A VPN or restricting to a internal network address only should be sufficient.

    Thanked by 1Daniel15
  • @_cece said:

    @Liso said:

    @stevewatson301 said:
    1. Is your MySQL database somehow exposed to the internet directly with a weak password? Shodan is your friend.

    Yes, it used to listen to localhost only— the connection was performed through ssh tunnel. But this setup preventing me from doing MySQL replication, now it is set to listen to all address.

    The replication should be done over a trusted network only. A VPN or restricting to a internal network address only should be sufficient.

    Also, all users should be locked down so they can only connect from the relevant IPs. Local users should only be allowed to connect from localhost. Replication users should only be allowed to connect from your private network or VPN.

    Make sure you are only binding to localhost and any private or VPN IPs. NOT all IPs!! IIRC MariaDB doesn't allow this (it can only have one bind IP set) but Oracle MySQL does.

    Thanked by 1yoursunny
  • varwwwvarwww Member

    Did you forget to run sudo mysql_secure_installation after installing db server ?

  • aj_potcaj_potc Member
    edited August 4

    @Daniel15 said:

    @_cece said:

    @Liso said:

    @stevewatson301 said:
    1. Is your MySQL database somehow exposed to the internet directly with a weak password? Shodan is your friend.

    Yes, it used to listen to localhost only— the connection was performed through ssh tunnel. But this setup preventing me from doing MySQL replication, now it is set to listen to all address.

    The replication should be done over a trusted network only. A VPN or restricting to a internal network address only should be sufficient.

    Also, all users should be locked down so they can only connect from the relevant IPs. Local users should only be allowed to connect from localhost. Replication users should only be allowed to connect from your private network or VPN.

    Make sure you are only binding to localhost and any private or VPN IPs. NOT all IPs!! IIRC MariaDB doesn't allow this (it can only have one bind IP set) but Oracle MySQL does.

    Alternatively, you can handle this through your system's firewall. Allow only the IP addresses of your application server(s) and replication slave(s) to connect to MySQL port 3306.

    This is not quite as selective as binding each MySQL user to specific IPs, but it limits the number of hosts that can even attempt to connect, and in that way prevents the MySQL process from having to deal with IPs that should never have access.

    Thanked by 1yoursunny
  • aj_potcaj_potc Member

    @_cece said:

    @Liso said:

    @stevewatson301 said:
    1. Is your MySQL database somehow exposed to the internet directly with a weak password? Shodan is your friend.

    Yes, it used to listen to localhost only— the connection was performed through ssh tunnel. But this setup preventing me from doing MySQL replication, now it is set to listen to all address.

    The replication should be done over a trusted network only. A VPN or restricting to a internal network address only should be sufficient.

    Another best practice is to ensure that replication (and, in fact, all connections to MySQL/MariaDB) are done using SSL encryption:

    https://dev.mysql.com/doc/refman/8.0/en/replication-solutions-encrypted-connections.html

    This would allow for safe replication over the public Internet.

  • edited August 4

    Also learn and set up MySQL user permissions while you're at it. The hacked script was able to modify the database structure and add a new table, which it shouldn't be supposed to do in 99% of the cases.

    @varwww said: Did you forget to run sudo mysql_secure_installation after installing db server ?

    Newer MySQL versions (at least on Debian-based distros) by default are not using plain password authentication anymore. Even if you somehow expose the server to the world, nobody would be able to log in unless you explicitly change both the authentication mechanism and set the password to a weak one.

  • rcy026rcy026 Member

    My guess is that mysql is not your problem, your php application is. Not php itself, but the code running on your website. It takes some experience and knowledge to write secure php code and sadly most developers are not skilled enough, despite their claims.
    I'm not a programmer and I suck at coding, but you would be chocked to know how many websites made by "professional developers" that even I have been able to find exploits in.

  • jsgjsg Member, Resident Benchmarker

    @Liso

    Sorry, but while I value the well intentioned helping attempts by some users here, frankly your post isn't worth such attempts. Why? Because the way you describe your problem is more or less of the "Haalp! My computer is broken" kind (and not even the "and it makes strange noises" kind).

    There are 1001 possible ways to "hack a MySql server" and with the information provided by you which pretty much boils down to zero it is not possible to help you (other than slinging wild guesses at you that might, just might, not be too far off but highly likely won't help).

    So, back to field zero: Provide sensible information!

    Thanked by 2LTniger alilet
  • HalfEatenPieHalfEatenPie Member
    edited August 4

    The best structure I use is having my database airgapped to my frontend server. To maintain that line of communication though I have a small group of interns handle database requests using a handful of thumb drives and sneakernet.

    Performance has been a bit lacking and we've tried increasing performance by hiring more interns but it seems throwing more bodies at the problem isn't the right solution (we realized after hiring our 15th intern that the marginal improvement just wasn't worth it). We'll have to keep reviewing our cybersecurity policies and seeing how we can improve performance without increasing our cybersecurity risk.

    Thanked by 1yoursunny
  • @jsg said:

    FWIW you don’t even tell them what information they should provide to get better assistance.

    Thanked by 1TimboJones
  • mhnmhn Member

    Try to check the BTC address balance. I'm really curious if someone actually paid the ransom

    • don't ever leave your mysql instance open to the world unless you've got a firewall protecting it, even then it's not a great idea. as mentioned by others, you should have a VPN between these servers, or if possible just put them on the same VLAN and use private IP addresses for communication.
    • the vulnerability is 99.9% likely to be in your application code (unless your interpreter is extremely out of date)
    • if there is any PII or other sensitive data about your customers in that database, you need to notify them of the breach.
    • selinux is very unlikely to have prevented this breach. the concept of mandatory access control is completely meaningless when you're talking about an application communicating with the database over the network. the only way it would've made any difference is if they had locally compromised the DB server through a non-database username and then attempted to access files outside their classification.
    • set up sensible access controls for MySQL. disable anonymous users and do not allow remote root access to the database.

    source:
    years of experience in security. OSWA, CEH, SSCP, ECIH certs along the way.

Sign In or Register to comment.