Hie! My Linux server which is running my company website have been hacked. Today I saw a number of clients (customers) with some fun characters entries on my database (mySql). Access denial on really clients. Please assist, am running Linux Ubuntu 9 and I dont know where to start troubleshooting this. let me confession that I am still on the learning curve on Linux
step1 make sure,you got backup of data step2 make sure there are no root user accounts without passwords step3 make sure ROOT account got a nice long password step4 make an account that you can use as-like root make sure that connects are localhost only this is some of the simple things just google locking down mysql to get more help at the time, i would take down the SQL server, or block port 3306 from being accessed from the internet
At first you should imho discover the source of the issue. It won't help disabling the network side access to the db server in general, if the vulnerability belongs to a (web)application that does not verify the userinput / db data output. This should be located and fixed among other points. Depending on what kind of application it is, you should also consider verifying it for other vulnerabilites of that kind, e.g. see the OWAS Top 10 (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project). When thinking about recovering the server, either you built it up from scratch, reinstall the (patched !) application (if it was vulnerable) and restore the DB content from a verified to be clean backup (if possible). Otherwise you should try to find the most recent but clean backup, restore from that. Except the first solution it depends on the damage (if you the whole), e.g. you might have some bad content in your db vs. having a kernel rootkit on your server. Regarding the password change, it is always helpful the change them on a regular basis.
