I just got hacked database and deleted data. see photo

[zEitEr]

Yes, sure. It's not a case if directadmin is installed with a help of an actual version of setup scripts. Unfortunately some users get Directadmin preinstalled on a VPS, and do not always change all the required passwords. And old installation and images might have a root@% user in MySQL as well as badly configured /etc/my.cnf.

There shouldn't be any root@% users by default, so, even if 3306 is open, it shouldn't let anyone to connect to localhost accounts.

 

[jayw1]

and do not always change all the required passwords.

Which passwords are required to be changed?

 

[sufiyanshaikh]

I've seen this reported by multiple customers, who had very easy root password for MySQL set (or no password at all).

I found da_admin rather than root in /usr/local/directadmin/conf/my.cnf
Do I need to take any action for root ?

 

[ikkeben]

For those who are thinking some parts / configuration from PHPmyadmin was door for such sh...

Try https://www.adminer.org/ simpel easy. replacement for some , if you have doubt about phpmyadmin , don't use however default names / locations is then more hidden .

 

[zEitEr]

If you rent a VPS with a pre-installed DirectAdmin it is a good idea to change all the passwords in system and MySQL, FTP.

Which passwords are required to be changed?

 

[sufiyanshaikh]

I found da_admin rather than root in /usr/local/directadmin/conf/my.cnf
Do I need to take any action for root ?

zEitEr can you please answer this?

 

[ditto]

For those who are thinking some parts / configuration from PHPmyadmin was door for such sh...

Try https://www.adminer.org/ simpel easy. replacement for some , if you have doubt about phpmyadmin , don't use however default names / locations is then more hidden .

What make you think adminer is any more safe then phpMyAdmin? In 2018 adminer had a very bad vulnerability: https://www.cvedetails.com/cve/CVE-2018-7667/ - it was "remote", "Low complexity", and authentication was not needed to exploit it.

Often when a customer site is hacked, one of the first thing the hacker does, is to upload adminer. It seem to be popular by hackers. Anyway, phpMyAdmin behind .htpasswd (default for DirectAdmin when phpMyAdmin is public), would be a much better and safer choice. Bruteforce is of no consern if you have strong passwords.

 

[ikkeben]

What make you think adminer is any more safe then phpMyAdmin? In 2018 adminer had a very bad vulnerability: https://www.cvedetails.com/cve/CVE-2018-7667/ - it was "remote", "Low complexity", and authentication was not needed to exploit it.

Often when a customer site is hacked, one of the first thing the hacker does, is to upload adminer. It seem to be popular by hackers. Anyway, phpMyAdmin behind .htpasswd (default for DirectAdmin when phpMyAdmin is public), would be a much better and safer choice. Bruteforce is of no consern if you have strong passwords.

No i don't think sorry.
Both has had their flaws, if i only want simple i do use adminer, 1 file with some directory security, and i delete the file , or rename ( extension) if not needed.

If for others users you can teach them how to use, no complex tool to . But if lot of users and needed for a databases overall tool that is allready in DA package ok..

That is why it ofcourse could be safer to use, while when not there one couldn't abuse or even try brute force on that or phpmyadmin, ofcourse because of that simple 1 file that database tool is liked by more people also ofcourse hackers. ( But is not a hacker tool ofcourse)

 

[biew55]

Thanks for all answer., and detail..

for now I just use only last version of Directadmin component , and concern to backyp daily,

 

[zEitEr]

I found da_admin rather than root in /usr/local/directadmin/conf/my.cnf
Do I need to take any action for root ?

DirectAdmin uses `da_admin` user. I don't know what are you up to. Anyway strongs passwords should be used, and 3306 port should be closed for untrusted IPs.

 

[LawsHosting]

DirectAdmin uses `da_admin` user. I don't know what are you up to. Anyway strongs passwords should be used, and 3306 port should be closed for untrusted IPs.

I assume DA modifies the db user if clients want to use "Access Hosts"... That said, what happens if they just put a "%" (related)? TBH, this shouldn't be allowed.

I open 3306 by default, this saves support times opening the port for IPs in CSF/etc.

 

[Richard G]

DirectAdmin uses `da_admin` user. I don't know what are you up to

He's up to the fact that a root password also exists for mysql in Directadmin. Directadmin uses da_admin but this does not take away the fact that the root account also exists and can be used otherwise.

@zEitEr can you please answer this?

Check /usr/local/directadmin/scripts/setup.txt for the current mysql root password. You can change that too if needed.