MySQL Database Hacked

[nuclearhosting]

Hello, its second time when we noticed that mysql database inside this container were hacked. All data has been lost, one database were created with name "PLEASE_READ_ME_XMG" and with content:

MariaDB [PLEASE_READ_ME_XMG]> select * from WARNING;
+----+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------------+
| id | warning                                                                                                                                                                                                                                                                                                                                                                                                 | Bitcoin_Address                    | Email                  |
+----+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------------+
|  1 | To recover your lost data : Send 0.045 BTC to our BitCoin Address and Contact us by eMail with your server IP Address or Domain Name and a Proof of Payment. Any eMail without your server IP Address or Domain Name and a Proof of Payment together will be ignored. Your File and DataBase is downloaded and backed up on our servers. If we dont receive your payment,we will delete your databases. | 1666666vT5Y5bPXPAk4jWqJ9Gr26SLFq8P | muhstik@protonmail.com |
+----+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------------+

I try to investigate this problem but Im not able to identify how this happened. I did not find any more affected data, just mysql data is lost.

Any ideas?

[leepan8]

same here.
Other reports:
https://www.bitcoinabuse.com/reports/166666PxYba9jJPPvB5NNForLYhsGJdyE4
https://www.bitcoinabuse.com/reports/166666c927KgLmHLCJCWtoKHjawo7W7Hmp
https://www.bitcoinabuse.com/reports/1MuhStiKmNr2cgjFxx8AHS7CMmVqv1aSGX

[Boffice]

is the issue somehow linked to this container ? or is it global ispconfig issue ?

[nuclearhosting]

Its a container problem I guess, not an ispconfig. We run on ISPConfig tens of servers without any problem. I guess, this problem comes from insecure MySQL root account (default mysql root password is "pass") but not sure about that. After we secure MySQL in this container (bind on localhost, remove anonymous users / databases, changed root password, which are standard basic best practicies) the problem did not appears again.

[Boffice]

Hmm it's logical if sever got hacked with defaults credentials with remote% access.
but rather than that if anybody got hacked with modified MySQL settings, can it be docker issue or container configuration issue ? i checked Dockerfile and steps seems to be correct and secure.

p.s.
I am very new to docker, i have installed it yesterday and this image was first thing i did ever deploy with docker .

And one last thing [offtopic] can anybody help me to access this docker image via winscp ? what is the root password of ssh ?

[geoker]

Found this post about it. https://draculaservers.com/tutorials/update-secure-phpmyadmin/