New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Got Hacked | MySQL Database being held for ransom, any mitigation ?
Just today, I found this when I checked our office database, apparently we got hacked.
mysql> select * from README\G
*************************** 1. row ***************************
id: 1
readme: To recover your lost Database send 0.017 Bitcoin (BTC) to our Bitcoin address: ****************** After this, contact us by email with your Server IP or Domain Name and a Proof of Payment (Payment ID). Your Database is downloaded and backed up on our servers. Backups that we have right now: (my db list). Any email without your server IP Address or Domain Name and a Proof of Payment together will be ignored. If we dont receive your payment in the next 10 Days, we will delete or leak your sensitive information.
BTC_address: ************************************
email: db*****0*@***mail.com
1 row in set (0.00 sec)
Luckily I have setup a db backup system, and I can easily restore to known good state. Our webapp on /var/www
seems not affected though, but I'd be a fool to trust this machine now.
Is there any mitigation to lessen the risk of this happening, this is my first time getting mysql hacked, I suspect the hacker got access from some kind remote exploit using php, I've check ssh log and found nothing unusual— the server have fail2ban setup and it is working properly.
Thanked by 1Logano
Comments
do you have selinux installed and enabled ?
No one ever really exploits the PHP interpreter but PHP code itself. Your access logs may give some insight into what started the event. The best way to react is to find and fix the code.
I always start with a grep for POST requests and start looking there. Bonus points if you can isolate a time frame.
Nope, selinux is not installed.
You can try installing selinux to prevent them from exploiting PHP and then going against other installed applications.
I also recomand you to install MySQL in a different server inside in a totally isolated private network exposing the MySQL port to application server inside in the private network. ( This is how most of my setup's going on right now )
This is the best solution.
Happened to me once , i used copy paste password from a tutorial 🤣
Also another thing to consider is:
Now that your DB is leaked in theory...
Do you have userS credentials stored? Are they hashed properly? Is the hashing algo strong? Salted, etc... ?
That should also be a priority. If userS (note the plural) info is involved, make sure to follow your local authorities procedures and obligations (if any) and inform those users. Users should be informed so that they can self analyze their risk.
Can you connect to your MySQL remotely or have you disabled that feature?
most likely site.com/pma/ or /phpmyadmin/
That is just an automated bot.
Your mysql password was 100% root:root or something it could guess. From my experience those attacks just delete everything and then make a note hoping for people to send money.
The best thing in this case would identify the hole which needs to be plugged. For this, order fully managed server from reputable provider. Few recommendations:
https://www.liquidweb.com/products/dedicated/
https://www.rackspace.com/managed-hosting
Another good solution would be to get specialized services as managed database (AWS, Google, MS).
This will eliminate huge hole with miss-managed server and you can focus on potential problems at software side. Of course if you host code which does not generate at least million per day - than do whatever...
Yes, it used to listen to localhost only— the connection was performed through ssh tunnel. But this setup preventing me from doing MySQL replication, now it is set to listen to all address.
The replication should be done over a trusted network only. A VPN or restricting to a internal network address only should be sufficient.
Also, all users should be locked down so they can only connect from the relevant IPs. Local users should only be allowed to connect from localhost. Replication users should only be allowed to connect from your private network or VPN.
Make sure you are only binding to localhost and any private or VPN IPs. NOT all IPs!! IIRC MariaDB doesn't allow this (it can only have one bind IP set) but Oracle MySQL does.
Did you forget to run
sudo mysql_secure_installation
after installing db server ?Alternatively, you can handle this through your system's firewall. Allow only the IP addresses of your application server(s) and replication slave(s) to connect to MySQL port 3306.
This is not quite as selective as binding each MySQL user to specific IPs, but it limits the number of hosts that can even attempt to connect, and in that way prevents the MySQL process from having to deal with IPs that should never have access.
Another best practice is to ensure that replication (and, in fact, all connections to MySQL/MariaDB) are done using SSL encryption:
https://dev.mysql.com/doc/refman/8.0/en/replication-solutions-encrypted-connections.html
This would allow for safe replication over the public Internet.
Also learn and set up MySQL user permissions while you're at it. The hacked script was able to modify the database structure and add a new table, which it shouldn't be supposed to do in 99% of the cases.
Newer MySQL versions (at least on Debian-based distros) by default are not using plain password authentication anymore. Even if you somehow expose the server to the world, nobody would be able to log in unless you explicitly change both the authentication mechanism and set the password to a weak one.
My guess is that mysql is not your problem, your php application is. Not php itself, but the code running on your website. It takes some experience and knowledge to write secure php code and sadly most developers are not skilled enough, despite their claims.
I'm not a programmer and I suck at coding, but you would be chocked to know how many websites made by "professional developers" that even I have been able to find exploits in.
@Liso
Sorry, but while I value the well intentioned helping attempts by some users here, frankly your post isn't worth such attempts. Why? Because the way you describe your problem is more or less of the "Haalp! My computer is broken" kind (and not even the "and it makes strange noises" kind).
There are 1001 possible ways to "hack a MySql server" and with the information provided by you which pretty much boils down to zero it is not possible to help you (other than slinging wild guesses at you that might, just might, not be too far off but highly likely won't help).
So, back to field zero: Provide sensible information!
The best structure I use is having my database airgapped to my frontend server. To maintain that line of communication though I have a small group of interns handle database requests using a handful of thumb drives and sneakernet.
Performance has been a bit lacking and we've tried increasing performance by hiring more interns but it seems throwing more bodies at the problem isn't the right solution (we realized after hiring our 15th intern that the marginal improvement just wasn't worth it). We'll have to keep reviewing our cybersecurity policies and seeing how we can improve performance without increasing our cybersecurity risk.
FWIW you don’t even tell them what information they should provide to get better assistance.
Try to check the BTC address balance. I'm really curious if someone actually paid the ransom
source:
years of experience in security. OSWA, CEH, SSCP, ECIH certs along the way.