Server hacked 'To recover your lost Database and avoid leaking it: Send us 0.1 Bitcoin (BTC)'

Discussion in 'Installation/Configuration' started by inside83, May 8, 2019.

  1. inside83

    inside83 Member

    Hello,

    A couple of hours ago I had a misfortune to be the target of an attack.
    All of my DB's were/are deleted with only one table in them, called 'WARNING'. It has 3 columns with the following content:
    1. To recover your lost Database and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 16wssaUQ1thukJvwV9YRBKzxzy18n47dY8 and contact us by Email with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. Backups that we have right now: the exact correct names of my db's . If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise.
    2. 16wssaUQ1thukJvwV9YRBKzxzy18n47dY8
    3. [email protected]
    I followed @till 's advice from here to get my dbispconfig table back and then run restore procedure from ISPConfig but it seams that my table structure is a bit different from this one so I had to dump dbispconfig table from my other ISPConfig server and then run ispconfig_db_backup.sql from /var/backup/ispconfig_xxx

    Right now, writing this, I'm just hoping that ISPConfig will be able to restore my DB's.

    Has anyone else had similar experience?
    Any advice?
    Could this be avoided?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I would say it is not possible to completely prevent something like that happening. A competent attacker can crack into your server given enough time and resources.
    What you can do is keep operating system, ISPConfig and the softwares running in websites updated. Force everyone to use good passwords, like 12 character long random strings. Using fail2ban helps a little, brute force attacks are more laborius.
    I would prefer all websites to be HTML and CSS only static websites, then there would be nothing to crack into. But users want to have Joomla, Wordpress or other CMS which they then forget to keep updated.
     
  3. inside83

    inside83 Member

    Strange thins is:
    • everything is updated (Wordpress and all the plugins),
    • all passwords are very strong (20+ characters),
      • and I do mean ALL of them: e-mails, DB's, FTP...every single one of them
    • fail2ban installed following Perfect Server tutorial,
    • there really isn't that much traffic and
    • the data stored REALLY is not that much worth.
    I really can't see how would anyone invest considerable amount of time and resources to do this.
    It looks like I was targeted but I can't say why.

    And if it's just a bot trying every server and just happen to run into mine, than there's a serious security problem ether with Debian, Wordpress, MariaDB and/or any major component, because I followed every rule in the book.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I assume you did scan the server already?

    https://www.howtoforge.com/tutorial/how-to-scan-linux-for-malware-and-rootkits/

    If nothing could be found, then the hacker got probably access to MySQL only and not to the whole system. He probably would have stolen and encrypted files as well if he would be able to access them. Where all databases affected? If yes, then he must got access to the MySQL user which has access to all of them. Might even be that he got access to a desktop where the password is used/stored that you or someone else with administrative MySQL priveliges uses to administer the server.
     
  5. inside83

    inside83 Member

    Yes I did run the scan and it found nothing. A couple of outdated plugins and some false positives but that's all.

    I assume the hacker got access only to MySQL since only the db's are affected. And yes, all db's were affected. Even the roundcube db.
    There were new db users created: 'mysqld' and 'system' user. I compared to my other ISPConfig server and those users weren't there.

    It seems that I managed to get it all bac and running but now I have a problem with the backup within ISPConfig. It backs up the files but it doesn't back up the db's.
    upload_2019-5-12_23-52-2.png
    Is there something I can do to make it run backup on the db's too?
     
  6. inside83

    inside83 Member

    Also, it seems that I can't change db password using ISPConfig.
    Does anyone know how to make it work?
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  8. Jesse Norell

    Jesse Norell Well-Known Member

    The db ransomware is new and gaining popularity, and it sounds like there are many ways used to access databases, so do try to find attribution to the specific vulnerability, but also don't be surprised if you can't. As @till mentioned, you could have had the client side hacked, but there are many pieces to consider on the server, too.

    This is a single server system? Unless you need open internet access to the mysql server (and you know why you need it - most people don't), you should make sure port 3306 is blocked in your firewall, and even set the bind address in mysql to 127.0.0.1 (for single servers - you can't bind to localhost on the master server if running a multi-server install). If you do need internet access to mysql, consider restricting it to known ip address, and/or require a vpn, and/or use port forwarding (over ssh) to access it, so it's not wide open. If you had mysql open to the internet you might check your myql logs and see if you find anything interesting.

    There are probably only 3 mysql accounts that would have access to all your databases, root, debian-sys-maint and ispconfig. Assuming you have phpmyqdmin installed, you can edit /etc/phpmyadmin/config.inc.php to restrict logins from those three accounts. That of course means you can't use those in phpmyadmin yourself (but you may not do that very often, and if you need to you can just edit phpmyadmin.inc config to allow it temporarily, or even only allow it from your ip address).

    Hacking a customers site (or phpymyadmin or roundcube) should not gain access to any of those 3 accounts mentioned above. There's a comment from the specific bitcoin address you posted https://www.bitcoinabuse.com/reports/16wssaUQ1thukJvwV9YRBKzxzy18n47dY8 that says they 'exploited' a phpmyadmin login page, but I think they just mean they logged in using phpmyadmin and a known/guessed password. There was a recent apache2 privilege escalation (with PoC published) that could have done that via roundcube, phpmyadmin or other app if they were running in mod_php mode; you could check if that's the case and switch to php-fpm for the future. (That would give system level root access, not anything mariadb specific, but it's certainly a possibility.)

    Hacking the ISPConfig control panel itself would gain access to the 'ispconfig' db user and would be of particular interest to this forum. Please check apache logs (error.log and access.log) as well as /var/log/ispconfig/auth.log* for any indications of that, and check all your other log files to see what you find around and preceding the time that happened.

    That is all (mostly) assuming they only got db level access, not system level root access; there are a lot more things to consider for those (eg. any/every service running on the machine and listening to the network, anything that can be used as a local privilege escalation once a website or such has been compromised (eg. dsa-4367), larger system compromises such as a vps providers getting hacked (including fairly recent container breakouts), spectre/meltdown, etc.).

    Keep that up, and get a few new "books" to follow, but in the end, make sure you have a good backup regimen. :)
     
    Taleman likes this.
  9. skysky

    skysky New Member

    the exact hack happened to my server starting from May 9 2019. Based on my backup check, not all DB are affected at once. Instead it took a few days to affected all of the DB. After restoring backup, I changed my root password and all FTP password.
     
  10. Jeremy007

    Jeremy007 Member

    I second what skysky said. Try a restore and change all passwords. Like tillman said, enforce strong passwords.

    Ask your server provider if they have any security packages and try to implement/ buy a basic suite.
     
  11. jmleal

    jmleal New Member

    @skysky
    Was it enough to change the passwords of the users?
    Thanks
     
  12. concept21

    concept21 Member

    The first rule is to change your mysql server administrator's name "root" to an unpopular one! Then, delete the default administrator "root" altogether! :eek:
     
  13. concept21

    concept21 Member

    Have you checked your logwatch records to find out how he got into your db?

    I am very scared now. :(
     
  14. concept21

    concept21 Member

    Far from enough.
    I guess this kind of hack is caused by the portal software, wordpress etc, imperfection itself. Password hack could be banned effectively by software like fail2ban, denyhost etc.
     
  15. jmleal

    jmleal New Member

    @concept21
    thanks for the info. I do not have content manager is a web application in linux in php and have entered and I have hijacked several bbdd. This is serious and worrying. I have taken the basic steps to see what happens ...
     

Share This Page