Hello All, On the 17th December my MariaDB Database on my AlmaLinux, VERSION="9.7 (Moss Jungle Cat) has been removed. The culprit left the following message inside the Database as a entry: Dear Sir/Madam, We hope this message finds you well. We would like to let you know that we created a backup of your databases/tables (we keep them for 60 days and then permanently delete them). We offer you our recover service: if you want to recover your corrupted or incomplete databases/tables, simply transfer 1300 USD in Bitcoin to this address: xxxxxxxxxxxxxxxxxxxxx - This address is assigned to your database credentials (host + user). We will know when you have paid. After payment confirmation, our program will restore the entire databases/tables automatically, so please do not change your database login details and make sure the database is still accessible from outside the local network. Don not worry. All your databases and tables will be restored. (If the restore fails the current field will be modified and provide links for you to download your datas). If you do not wish to use our service, please ignore this message. Thank you for your time and consideration. Go ... I was wondering if somebody had a similar issue and how to find out how they gained access.
Some of the options are: 1) Insecure MariaDB root password. 2) MariaDB port is open from the outside + insecure password. If you don't need external access, close mariaDB port in a firewall or configure it to listen on the localhost IP 127.0.0.1 or the localhost socket only. 3) Not MariaDB was hacked, but an application that uses it. E.g., you run a WordPress website. WordPress stores data in MariaDB. if WordPress gets hacked, then the attacker gets access to the MariaDB database that WordPress is using as well. This means they can delete all tables and add the message you received. So in this case, not MariaDB was hacked, but the application/website/cms which uses it.
Thank you for your feedback. I will now reinstall the server and take your points into account during the setup. Once I’ve finished configuring it, are there good ways to verify that all insecure ports are closed? (For example, a website that checks this or something similar?)
There are several websites out there, just Google it. Though it's possible the outcome won't be accurate. If your isp monitors its network the website can get blocked because of a detected portscan for example.
On how they got in — with that exact ransom note, it's almost always one of two things. Either MariaDB was reachable from the internet with a weak or default root password (brute-forced, tables dropped, note inserted), or, more commonly, a web app using the database such as WordPress was compromised and the attacker just used its legitimate DB access to wipe the tables. In that second case MariaDB itself wasn't really "hacked" — the app was the door. To work out which one it was, check the logs before you wipe the box if you still can: MariaDB's error log, and the access logs of any web app on the server around 17 December. If the DB port was open to the world, assume the first; if it was localhost-only, it came in through an app. For checking the rebuild is properly locked down, start with what's actually listening: run `ss -tlnp`. MariaDB should show 127.0.0.1:3306, not 0.0.0.0:3306 — if it's the latter, set bind-address = 127.0.0.1 in the config and restart, which closes it entirely if nothing external needs the DB. Then check the firewall (AlmaLinux 9 uses firewalld) with `firewall-cmd --list-all` and expose only what you need, usually 22, 80 and 443. The part that actually answers your question is scanning from the outside — don't trust the box's own view. From another machine run `nmap -Pn -p- YOUR.SERVER.IP`, and have a look at shodan.io for your IP, which shows what the internet already sees. As remkoh said, random web-based port scanners are unreliable and can get blocked, so nmap from a separate host is the accurate way. Two things make a repeat a non-event: give each app its own MariaDB user with least privilege (rights on its own database only, never root), so a compromised app can't touch anything else; and set up automated, tested off-site backups with something like restic or borg — then a "pay us in Bitcoin" note is just a restore, not a ransom. Good luck with the rebuild.