Server hacked 'To recover your lost Database and avoid leaking it: Send us 0.1 Bitcoin (BTC)'

Hello,

A couple of hours ago I had a misfortune to be the target of an attack.
All of my DB's were/are deleted with only one table in them, called 'WARNING'. It has 3 columns with the following content:

1. To recover your lost Database and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 16wssaUQ1thukJvwV9YRBKzxzy18n47dY8 and contact us by Email with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. Backups that we have right now: the exact correct names of my db's . If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise.
2. 16wssaUQ1thukJvwV9YRBKzxzy18n47dY8
3. [email protected]

I followed @till 's advice from here to get my dbispconfig table back and then run restore procedure from ISPConfig but it seams that my table structure is a bit different from this one so I had to dump dbispconfig table from my other ISPConfig server and then run ispconfig_db_backup.sql from /var/backup/ispconfig_xxx

Right now, writing this, I'm just hoping that ISPConfig will be able to restore my DB's.

Has anyone else had similar experience?
Any advice?
Could this be avoided?

 

I would say it is not possible to completely prevent something like that happening. A competent attacker can crack into your server given enough time and resources.
What you can do is keep operating system, ISPConfig and the softwares running in websites updated. Force everyone to use good passwords, like 12 character long random strings. Using fail2ban helps a little, brute force attacks are more laborius.
I would prefer all websites to be HTML and CSS only static websites, then there would be nothing to crack into. But users want to have Joomla, Wordpress or other CMS which they then forget to keep updated.

 

Strange thins is:

• everything is updated (Wordpress and all the plugins),
• all passwords are very strong (20+ characters),
  • and I do mean ALL of them: e-mails, DB's, FTP...every single one of them
• fail2ban installed following Perfect Server tutorial,
• there really isn't that much traffic and
• the data stored REALLY is not that much worth.

I really can't see how would anyone invest considerable amount of time and resources to do this.
It looks like I was targeted but I can't say why.

And if it's just a bot trying every server and just happen to run into mine, than there's a serious security problem ether with Debian, Wordpress, MariaDB and/or any major component, because I followed every rule in the book.

 

Yes I did run the scan and it found nothing. A couple of outdated plugins and some false positives but that's all.

I assume the hacker got access only to MySQL since only the db's are affected. And yes, all db's were affected. Even the roundcube db.
There were new db users created: 'mysqld' and 'system' user. I compared to my other ISPConfig server and those users weren't there.

It seems that I managed to get it all bac and running but now I have a problem with the backup within ISPConfig. It backs up the files but it doesn't back up the db's.

Is there something I can do to make it run backup on the db's too?

 

Also, it seems that I can't change db password using ISPConfig.
Does anyone know how to make it work?

 

Check you can log in to mysql with the info in

Code:

/usr/local/ispconfig/server/lib/mysql_clientdb.conf

If not, change database root password and edit that file accordingly.
If you know the database root password, it is easy to change. If you do not know, use this:
https://www.faqforge.com/linux/controlpanels/ispconfig2/how-to-reset-the-mysql-root-password/

 

the exact hack happened to my server starting from May 9 2019. Based on my backup check, not all DB are affected at once. Instead it took a few days to affected all of the DB. After restoring backup, I changed my root password and all FTP password.

 

I second what skysky said. Try a restore and change all passwords. Like tillman said, enforce strong passwords.

Ask your server provider if they have any security packages and try to implement/ buy a basic suite.

 

@skysky
Was it enough to change the passwords of the users?
Thanks

 

The first rule is to change your mysql server administrator's name "root" to an unpopular one! Then, delete the default administrator "root" altogether!

 

Have you checked your logwatch records to find out how he got into your db?

I am very scared now.

 

Far from enough.
I guess this kind of hack is caused by the portal software, wordpress etc, imperfection itself. Password hack could be banned effectively by software like fail2ban, denyhost etc.

 

@concept21
thanks for the info. I do not have content manager is a web application in linux in php and have entered and I have hijacked several bbdd. This is serious and worrying. I have taken the basic steps to see what happens ...

 

Hi All,
I've read all messages regarding hacked MySQL and wondering - maybe it's a stupid question, but:
did anyone of you actually saw the result of this?
i just wondered if this guys did publish your DB eventually? did you find anything?

thanks

 

Could you please update what happaned afterwards? did you pay? if not, did anything else happen?

 

I just had same attack on my "database". My site is just a kind of portfolio, angular + python + postgresql on Amazon Servers (AWS).
!Note that I'am not using PHP at all, only python!
As I am inquisitive, I wanted to examine this situation, and I found what happened.
First of all I checked access log. I found some interesting entries like:

Code:

"GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 823 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
5.101.0.209
"GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 200 823 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
5.101.0.209 - -
"GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Further :

Code:

...
 "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 "-" "-"
 "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 226 "-" "-"
 "GET //pma/scripts/setup.php HTTP/1.1" 404 219 "-" "-"
 "GET //myadmin/scripts/setup.php HTTP/1.1" 404 223 "-" "-"
 "GET //MyAdmin/scripts/setup.php HTTP/1.1" 404 223 "-" "-"
 "GET http://example.com/ HTTP/1.1" 200 823 "-" "A(mazon)WS Security Scanner"
"\x16\x03\x01" 400 226 "-" "-"
"GET / HTTP/1.1" 400 226 "-" "-"
"GET /wordpress/ HTTP/1.1" 404 208 "-"
...

There is over 2000 of unique requests that day, all of them trying to find popular SQL admin tools or files from wordpress/wix, which means it is just an blind attack. Bot checks for vulnerable services on popular IP ranges and attacks them.

And that is what propably happend in @inside83 case. Bot just performed action on known wordpress holes, or so called low hanging fruits not secured by user.

But in my case, as I'm using my own Python - psycopg2 code for db connection, attacking bot did something simple. I have field that user can write in and send it to database via POST method. To investigate further I checked PostgreSQL logs:

Code:

CREATE TABLE cmd_exec(cmd_output text);
    COPY cmd_exec FROM PROGRAM 'cat /proc/cpuinfo' encoding 'gbk'; - Bot checks hardware, so he knows release pkg of db.
    SELECT * FROM cmd_exec;

Code:

    CREATE TABLE cmd_exec(cmd_output text);
    COPY cmd_exec FROM PROGRAM 'ps auxw|grep -v grep|grep -v nginx|sort -rn -k3|awk {if($3>50.0) print $2}|xargs kill -9' encoding 'gbk';
- Checks for open processes and killing them
    SELECT * FROM cmd_exec;

Code:

CREATE TABLE cmd_exec(cmd_output text);
    COPY cmd_exec FROM PROGRAM 'killall postgresq1' encoding 'gbk';
    SELECT * FROM cmd_exec;

[CODE]
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public to postgres;
 STATEMENT:  SELECT pg_terminate_backend(pg_stat_activity.procpid) FROM pg_stat_activity WHERE pg_stat_activity.datname = 'please_read_me_xmg' AND procpid <> pg_backend_pid(); - Here bot created db with "WARNING"

Bot tried also to log as root:

Code:

DETAIL:  Role "root" does not exist.

These are of course small parts of logs, just to show some obvious tricks they made. Im quite a programmer but Im coming to network from low level automation/robotics, so such "attack" was something interesting for me.

As you can see bot performed simple SQL injection. Instead of sending integers in my POST method, it send SQL code. That attack is quite primitive but expanded targeting popular security holes caused by unexperienced admins.

@Aha I can see in logs that bot copied database, but there are errors aftewards, so I think they don't have the database, it could be pretending.

What can we do to protect from such an attack:

- Learn and use properly DB users - user mustn't be owner/admin of table (and priviliges)

- Use random passwords (If users were set badly, attacker doesnt need to crack password, as it can take it from SQL - f.e. -
SELECT description FROM products WHERE name='A' OR 1=2 UNION SELECT password FROM members WHERE username='admin')

- Be sure that you secured all your input methods. - my bad

- Use well reviewed 3rd party software.

- Regulary check your logs for suspicious activity. Whole attack lasted 2-3 days according to logs, so for good admin it was easy to catch.

- Properly Learn used technology.

- Backups/Raiding.


@inside83 We are just noobs .

If there are mistakes in my logic or anyone have more thoughts tell me

Cheers.