I just got hacked database and deleted data. see photo
- Thread starter biew55
- Start date
Active8
Verified User
- Joined
- Jul 13, 2013
- Messages
- 1,771
What is the default installation modus by DA then ? is it installed by default with password ? I'm curios now
Yes, it's installed with a random password by default, stored in
/usr/local/directadmin/conf/my.cnf.
Richard G
Verified User
Even better, with 2 passwords by default.
The one mentioned by smtalk is the da_admin user password (also has root rights).
There's also a mysql root password which can be found at /usr/local/directadmin/scripts/setup.txt but this is normally not used. Might come in handy though if you ever change your mysql da_admin pass and forget it. Easy way to change it back via root.
The one mentioned by smtalk is the da_admin user password (also has root rights).
There's also a mysql root password which can be found at /usr/local/directadmin/scripts/setup.txt but this is normally not used. Might come in handy though if you ever change your mysql da_admin pass and forget it. Easy way to change it back via root.
LawsHosting
Verified User
I thought there's no root credentials for mysql installs, or if there are, it's removed after installation in favour of DA's details.... Am I mistaken?
Richard G
Verified User
Yes you are mistaken. You can check for yourself, they are in the file I mentioned.
Richard G
Verified User
You sure? You can't login to mysql via console and do a list? Tried with both da_admin and root accounts?
Files aer in /var/lib/mysql and all accounts are in there too, maybe you can backup them or something. I'm not a mysql guru though, so I can't help you any further.
Got also a report from one of my customers a day ago. These kind of attacks are usually done on servers with port TCP 3306 opened world-wide. So this is a very bad idea to get 3306 port publicly opened with MySQL bind to it.
Another question: probably anybody tried to decrypt hacked data in MySQL/MariaDB ?
Another question: probably anybody tried to decrypt hacked data in MySQL/MariaDB ?
Even if you manage to decrypt it, how can you rely the data is not compromised?
No way to say it for 100%, I guess. Critical data might be stolen.... of course. But what to do if an user does not have backups? To pay a hacker?
Visually check MySQL tables where users/passwords are stored, erase and reinstall Mysql database and re-create all necessary users....other.
Visually check MySQL tables where users/passwords are stored, erase and reinstall Mysql database and re-create all necessary users....other.
@zEitEr and @biew55, would you mind share if the hacked database was running on MySQL or MariaDB, and also what version of those? Also, was they running with a strong password?
Edit: And did the hacker get root access to MySQL/MariaDB? If not, it could just be a compromised WordPress install, and then the hacker could find the password to the database in wp-config.php. WordPress is just a example because it is widely used, but it could be any other CMS also. If that is the case, I find nothing special to it - if a CMS is compromised, I would also assume the database could be compromised - and that happens all the time.
Edit: And did the hacker get root access to MySQL/MariaDB? If not, it could just be a compromised WordPress install, and then the hacker could find the password to the database in wp-config.php. WordPress is just a example because it is widely used, but it could be any other CMS also. If that is the case, I find nothing special to it - if a CMS is compromised, I would also assume the database could be compromised - and that happens all the time.
Last edited:
@ditto
Well as far as I can say, they hacked exactly 3306 port. I've seen hacked servers with and without DirectAdmin, in all cases 3306 port has been publicly opened. Mostly MariaDB, but I won't say there were no MySQL instances.
They either removed existing tables or encrypted them, and created a WARNING table
with the following content:
I've masked the Bitcoin address.
In certain cases we could see files like:
with various names under /var/lib/mysql/, they probably utilized LOAD DATA statements to gain a privileged access to a server.
Well as far as I can say, they hacked exactly 3306 port. I've seen hacked servers with and without DirectAdmin, in all cases 3306 port has been publicly opened. Mostly MariaDB, but I won't say there were no MySQL instances.
They either removed existing tables or encrypted them, and created a WARNING table
Code:
/var/lib/mysql/user_db/WARNING.frm
/var/lib/mysql/user_db/WARNING.ibdwith the following content:
I've masked the Bitcoin address.
In certain cases we could see files like:
Code:
/var/lib/mysql/mysql/\usr\lib64\mysql\plugin\\cna12.dll.with various names under /var/lib/mysql/, they probably utilized LOAD DATA statements to gain a privileged access to a server.
Thank you for the information. But you don't say anything about what version of MariaDB they was running? Was it the latest version? I am just trying to figure out if this is some new vulnerability that we do not yet know of, or if it is only because of sysadmins that have not done their job at upgrading.
It would also be of interest to know if their MariaDB/MySQL root password was strong or not? And also if they had
Generally I do not think it should be needed to close port 3306 in the firewall, also some customers sometimes want to open up for a remote IP to connect to their database (they can do that in user level in DirectAdmin), but that would not work if we close down port 3306 in the firewall.
It would also be of interest to know if their MariaDB/MySQL root password was strong or not? And also if they had
local-infile=0 in /etc/my.cnf or not?Generally I do not think it should be needed to close port 3306 in the firewall, also some customers sometimes want to open up for a remote IP to connect to their database (they can do that in user level in DirectAdmin), but that would not work if we close down port 3306 in the firewall.
The file you mention (cna12.dll), is also mentioned in this article: https://news.sophos.com/en-us/2019/...g-via-directed-attacks-against-mysql-servers/ - this seem to be a bruteforce attack to get the database root password. If that is corrrect, there is no new 0 day vulnerability to be afraid of - but you would just have to make sure the MySQL root password is strong.
Last edited:
We did not put our hands on solving the recent incident. The user had no backups to recover from. So I can't say what version is used there.
The older cases happened to MariaDB 10.3. My records indicate:
The older cases happened to MariaDB 10.3. My records indicate:
Code:
2019-08-03 09:08:10 : mariadb 10.3.17 installed
2019-09-22 07:09:37 : mariadb 10.3.18 installed
2019-11-17 07:11:01 localhost: mariadb 10.3.20 installedThank you. When looking at MariaDB changelogs, there is no CVE fixes in MariaDB 10.3.21, and in MariaDB 10.3.22 there is only one CVE (CVE-2020-2574), but by the description of it, it does not seem that could be the cause: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2574
On a 4 month old DirectAdmin install, I see that the default passwords in
However the default user
On a 4 month old DirectAdmin install, I see that the default passwords in
/usr/local/directadmin/scripts/setup.txt of mysql= is 17 characters and adminpass= is 14 characters. That should be strong enough.However the default user
da_admin password in /usr/local/directadmin/conf/mysql.conf is only 10 characters long. That is to short for my liking. I sugest DirectAdmin change the default to be minimum 14 characters.sufiyanshaikh
Verified User
- Joined
- Aug 14, 2019
- Messages
- 181
They're likely the same.
There shouldn't be any
root@% users by default, so, even if 3306 is open, it shouldn't let anyone to connect to localhost accounts.