Hello All, On the 17th December my MariaDB Database on my AlmaLinux, VERSION="9.7 (Moss Jungle Cat) has been removed. The culprit left the following message inside the Database as a entry: Dear Sir/Madam, We hope this message finds you well. We would like to let you know that we created a backup of your databases/tables (we keep them for 60 days and then permanently delete them). We offer you our recover service: if you want to recover your corrupted or incomplete databases/tables, simply transfer 1300 USD in Bitcoin to this address: xxxxxxxxxxxxxxxxxxxxx - This address is assigned to your database credentials (host + user). We will know when you have paid. After payment confirmation, our program will restore the entire databases/tables automatically, so please do not change your database login details and make sure the database is still accessible from outside the local network. Don not worry. All your databases and tables will be restored. (If the restore fails the current field will be modified and provide links for you to download your datas). If you do not wish to use our service, please ignore this message. Thank you for your time and consideration. Go ... I was wondering if somebody had a similar issue and how to find out how they gained access.
Some of the options are: 1) Insecure MariaDB root password. 2) MariaDB port is open from the outside + insecure password. If you don't need external access, close mariaDB port in a firewall or configure it to listen on the localhost IP 127.0.0.1 or the localhost socket only. 3) Not MariaDB was hacked, but an application that uses it. E.g., you run a WordPress website. WordPress stores data in MariaDB. if WordPress gets hacked, then the attacker gets access to the MariaDB database that WordPress is using as well. This means they can delete all tables and add the message you received. So in this case, not MariaDB was hacked, but the application/website/cms which uses it.
Thank you for your feedback. I will now reinstall the server and take your points into account during the setup. Once I’ve finished configuring it, are there good ways to verify that all insecure ports are closed? (For example, a website that checks this or something similar?)
There are several websites out there, just Google it. Though it's possible the outcome won't be accurate. If your isp monitors its network the website can get blocked because of a detected portscan for example.
