Server hacked 'To recover your lost Database and avoid leaking it: Send us 0.1 Bitcoin (BTC)'

Discussion in 'Installation/Configuration' started by inside83, May 8, 2019.

  1. inside83

    inside83 Member

    Hello,

    A couple of hours ago I had a misfortune to be the target of an attack.
    All of my DB's were/are deleted with only one table in them, called 'WARNING'. It has 3 columns with the following content:
    1. To recover your lost Database and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 16wssaUQ1thukJvwV9YRBKzxzy18n47dY8 and contact us by Email with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. Backups that we have right now: the exact correct names of my db's . If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise.
    2. 16wssaUQ1thukJvwV9YRBKzxzy18n47dY8
    3. [email protected]
    I followed @till 's advice from here to get my dbispconfig table back and then run restore procedure from ISPConfig but it seams that my table structure is a bit different from this one so I had to dump dbispconfig table from my other ISPConfig server and then run ispconfig_db_backup.sql from /var/backup/ispconfig_xxx

    Right now, writing this, I'm just hoping that ISPConfig will be able to restore my DB's.

    Has anyone else had similar experience?
    Any advice?
    Could this be avoided?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I would say it is not possible to completely prevent something like that happening. A competent attacker can crack into your server given enough time and resources.
    What you can do is keep operating system, ISPConfig and the softwares running in websites updated. Force everyone to use good passwords, like 12 character long random strings. Using fail2ban helps a little, brute force attacks are more laborius.
    I would prefer all websites to be HTML and CSS only static websites, then there would be nothing to crack into. But users want to have Joomla, Wordpress or other CMS which they then forget to keep updated.
     
  3. inside83

    inside83 Member

    Strange thins is:
    • everything is updated (Wordpress and all the plugins),
    • all passwords are very strong (20+ characters),
      • and I do mean ALL of them: e-mails, DB's, FTP...every single one of them
    • fail2ban installed following Perfect Server tutorial,
    • there really isn't that much traffic and
    • the data stored REALLY is not that much worth.
    I really can't see how would anyone invest considerable amount of time and resources to do this.
    It looks like I was targeted but I can't say why.

    And if it's just a bot trying every server and just happen to run into mine, than there's a serious security problem ether with Debian, Wordpress, MariaDB and/or any major component, because I followed every rule in the book.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I assume you did scan the server already?

    https://www.howtoforge.com/tutorial/how-to-scan-linux-for-malware-and-rootkits/

    If nothing could be found, then the hacker got probably access to MySQL only and not to the whole system. He probably would have stolen and encrypted files as well if he would be able to access them. Where all databases affected? If yes, then he must got access to the MySQL user which has access to all of them. Might even be that he got access to a desktop where the password is used/stored that you or someone else with administrative MySQL priveliges uses to administer the server.
     
  5. inside83

    inside83 Member

    Yes I did run the scan and it found nothing. A couple of outdated plugins and some false positives but that's all.

    I assume the hacker got access only to MySQL since only the db's are affected. And yes, all db's were affected. Even the roundcube db.
    There were new db users created: 'mysqld' and 'system' user. I compared to my other ISPConfig server and those users weren't there.

    It seems that I managed to get it all bac and running but now I have a problem with the backup within ISPConfig. It backs up the files but it doesn't back up the db's.
    upload_2019-5-12_23-52-2.png
    Is there something I can do to make it run backup on the db's too?
     
  6. inside83

    inside83 Member

    Also, it seems that I can't change db password using ISPConfig.
    Does anyone know how to make it work?
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  8. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    The db ransomware is new and gaining popularity, and it sounds like there are many ways used to access databases, so do try to find attribution to the specific vulnerability, but also don't be surprised if you can't. As @till mentioned, you could have had the client side hacked, but there are many pieces to consider on the server, too.

    This is a single server system? Unless you need open internet access to the mysql server (and you know why you need it - most people don't), you should make sure port 3306 is blocked in your firewall, and even set the bind address in mysql to 127.0.0.1 (for single servers - you can't bind to localhost on the master server if running a multi-server install). If you do need internet access to mysql, consider restricting it to known ip address, and/or require a vpn, and/or use port forwarding (over ssh) to access it, so it's not wide open. If you had mysql open to the internet you might check your myql logs and see if you find anything interesting.

    There are probably only 3 mysql accounts that would have access to all your databases, root, debian-sys-maint and ispconfig. Assuming you have phpmyqdmin installed, you can edit /etc/phpmyadmin/config.inc.php to restrict logins from those three accounts. That of course means you can't use those in phpmyadmin yourself (but you may not do that very often, and if you need to you can just edit phpmyadmin.inc config to allow it temporarily, or even only allow it from your ip address).

    Hacking a customers site (or phpymyadmin or roundcube) should not gain access to any of those 3 accounts mentioned above. There's a comment from the specific bitcoin address you posted https://www.bitcoinabuse.com/reports/16wssaUQ1thukJvwV9YRBKzxzy18n47dY8 that says they 'exploited' a phpmyadmin login page, but I think they just mean they logged in using phpmyadmin and a known/guessed password. There was a recent apache2 privilege escalation (with PoC published) that could have done that via roundcube, phpmyadmin or other app if they were running in mod_php mode; you could check if that's the case and switch to php-fpm for the future. (That would give system level root access, not anything mariadb specific, but it's certainly a possibility.)

    Hacking the ISPConfig control panel itself would gain access to the 'ispconfig' db user and would be of particular interest to this forum. Please check apache logs (error.log and access.log) as well as /var/log/ispconfig/auth.log* for any indications of that, and check all your other log files to see what you find around and preceding the time that happened.

    That is all (mostly) assuming they only got db level access, not system level root access; there are a lot more things to consider for those (eg. any/every service running on the machine and listening to the network, anything that can be used as a local privilege escalation once a website or such has been compromised (eg. dsa-4367), larger system compromises such as a vps providers getting hacked (including fairly recent container breakouts), spectre/meltdown, etc.).

    Keep that up, and get a few new "books" to follow, but in the end, make sure you have a good backup regimen. :)
     
    Taleman likes this.
  9. skysky

    skysky Member

    the exact hack happened to my server starting from May 9 2019. Based on my backup check, not all DB are affected at once. Instead it took a few days to affected all of the DB. After restoring backup, I changed my root password and all FTP password.
     
  10. Jeremy007

    Jeremy007 Member

    I second what skysky said. Try a restore and change all passwords. Like tillman said, enforce strong passwords.

    Ask your server provider if they have any security packages and try to implement/ buy a basic suite.
     
  11. jmleal

    jmleal New Member

    @skysky
    Was it enough to change the passwords of the users?
    Thanks
     
  12. concept21

    concept21 Member

    The first rule is to change your mysql server administrator's name "root" to an unpopular one! Then, delete the default administrator "root" altogether! :eek:
     
  13. concept21

    concept21 Member

    Have you checked your logwatch records to find out how he got into your db?

    I am very scared now. :(
     
  14. concept21

    concept21 Member

    Far from enough.
    I guess this kind of hack is caused by the portal software, wordpress etc, imperfection itself. Password hack could be banned effectively by software like fail2ban, denyhost etc.
     
  15. jmleal

    jmleal New Member

    @concept21
    thanks for the info. I do not have content manager is a web application in linux in php and have entered and I have hijacked several bbdd. This is serious and worrying. I have taken the basic steps to see what happens ...
     
  16. Aha

    Aha New Member

    Hi All,
    I've read all messages regarding hacked MySQL and wondering - maybe it's a stupid question, but:
    did anyone of you actually saw the result of this?
    i just wondered if this guys did publish your DB eventually? did you find anything?

    thanks
     
    Last edited: Feb 8, 2020
    inside83 likes this.
  17. Aha

    Aha New Member

    Could you please update what happaned afterwards? did you pay? if not, did anything else happen?
     
  18. Jomo

    Jomo New Member

    I just had same attack on my "database". My site is just a kind of portfolio, angular + python + postgresql on Amazon Servers (AWS).
    !Note that I'am not using PHP at all, only python!
    As I am inquisitive, I wanted to examine this situation, and I found what happened.
    First of all I checked access log. I found some interesting entries like:

    Code:
    "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 823 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    5.101.0.209
    "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 200 823 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    5.101.0.209 - -
    "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1" 404 207 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
    Further :

    Code:
    ...
     "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 "-" "-"
     "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 226 "-" "-"
     "GET //pma/scripts/setup.php HTTP/1.1" 404 219 "-" "-"
     "GET //myadmin/scripts/setup.php HTTP/1.1" 404 223 "-" "-"
     "GET //MyAdmin/scripts/setup.php HTTP/1.1" 404 223 "-" "-"
     "GET http://example.com/ HTTP/1.1" 200 823 "-" "A(mazon)WS Security Scanner"
    "\x16\x03\x01" 400 226 "-" "-"
    "GET / HTTP/1.1" 400 226 "-" "-"
    "GET /wordpress/ HTTP/1.1" 404 208 "-"
    ...
    
    There is over 2000 of unique requests that day, all of them trying to find popular SQL admin tools or files from wordpress/wix, which means it is just an blind attack. Bot checks for vulnerable services on popular IP ranges and attacks them.

    And that is what propably happend in @inside83 case. Bot just performed action on known wordpress holes, or so called low hanging fruits not secured by user.

    But in my case, as I'm using my own Python - psycopg2 code for db connection, attacking bot did something simple. I have field that user can write in and send it to database via POST method. To investigate further I checked PostgreSQL logs:

    Code:
    CREATE TABLE cmd_exec(cmd_output text);
        COPY cmd_exec FROM PROGRAM 'cat /proc/cpuinfo' encoding 'gbk'; - Bot checks hardware, so he knows release pkg of db.
        SELECT * FROM cmd_exec;
    
    Code:
        CREATE TABLE cmd_exec(cmd_output text);
        COPY cmd_exec FROM PROGRAM 'ps auxw|grep -v grep|grep -v nginx|sort -rn -k3|awk {if($3>50.0) print $2}|xargs kill -9' encoding 'gbk';
    - Checks for open processes and killing them
        SELECT * FROM cmd_exec;
    
    Code:
    CREATE TABLE cmd_exec(cmd_output text);
        COPY cmd_exec FROM PROGRAM 'killall postgresq1' encoding 'gbk';
        SELECT * FROM cmd_exec;
    
    [CODE]
    GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public to postgres;
     STATEMENT:  SELECT pg_terminate_backend(pg_stat_activity.procpid) FROM pg_stat_activity WHERE pg_stat_activity.datname = 'please_read_me_xmg' AND procpid <> pg_backend_pid(); - Here bot created db with "WARNING"
    
    Bot tried also to log as root:
    Code:
    DETAIL:  Role "root" does not exist.
    
    These are of course small parts of logs, just to show some obvious tricks they made. Im quite a programmer but Im coming to network from low level automation/robotics, so such "attack" was something interesting for me.

    As you can see bot performed simple SQL injection. Instead of sending integers in my POST method, it send SQL code. That attack is quite primitive but expanded targeting popular security holes caused by unexperienced admins.

    @Aha I can see in logs that bot copied database, but there are errors aftewards, so I think they don't have the database, it could be pretending.

    What can we do to protect from such an attack:

    - Learn and use properly DB users - user mustn't be owner/admin of table (and priviliges)

    - Use random passwords (If users were set badly, attacker doesnt need to crack password, as it can take it from SQL - f.e. -
    SELECT description FROM products WHERE name='A' OR 1=2 UNION SELECT password FROM members WHERE username='admin')

    - Be sure that you secured all your input methods. - my bad

    - Use well reviewed 3rd party software.

    - Regulary check your logs for suspicious activity. Whole attack lasted 2-3 days according to logs, so for good admin it was easy to catch.

    - Properly Learn used technology.

    - Backups/Raiding.


    @inside83 We are just noobs ;).

    If there are mistakes in my logic or anyone have more thoughts tell me :)

    Cheers.
     
    Last edited: Mar 5, 2020

Share This Page