Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MySQL Database Hacked #19

Open
nuclearhosting opened this issue Feb 25, 2019 · 5 comments

Comments

Projects
None yet
4 participants
@nuclearhosting
Copy link

commented Feb 25, 2019

Hello, its second time when we noticed that mysql database inside this container were hacked. All data has been lost, one database were created with name "PLEASE_READ_ME_XMG" and with content:

MariaDB [PLEASE_READ_ME_XMG]> select * from WARNING;
+----+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------------+
| id | warning                                                                                                                                                                                                                                                                                                                                                                                                 | Bitcoin_Address                    | Email                  |
+----+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------------+
|  1 | To recover your lost data : Send 0.045 BTC to our BitCoin Address and Contact us by eMail with your server IP Address or Domain Name and a Proof of Payment. Any eMail without your server IP Address or Domain Name and a Proof of Payment together will be ignored. Your File and DataBase is downloaded and backed up on our servers. If we dont receive your payment,we will delete your databases. | 1666666vT5Y5bPXPAk4jWqJ9Gr26SLFq8P | muhstik@protonmail.com |
+----+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+------------------------+

I try to investigate this problem but Im not able to identify how this happened. I did not find any more affected data, just mysql data is lost.

Any ideas?

@Boffice

This comment has been minimized.

Copy link

commented Mar 8, 2019

is the issue somehow linked to this container ? or is it global ispconfig issue ?

@nuclearhosting

This comment has been minimized.

Copy link
Author

commented Mar 8, 2019

Its a container problem I guess, not an ispconfig. We run on ISPConfig tens of servers without any problem. I guess, this problem comes from insecure MySQL root account (default mysql root password is "pass") but not sure about that. After we secure MySQL in this container (bind on localhost, remove anonymous users / databases, changed root password, which are standard basic best practicies) the problem did not appears again.

@Boffice

This comment has been minimized.

Copy link

commented Mar 8, 2019

Hmm it's logical if sever got hacked with defaults credentials with remote% access.
but rather than that if anybody got hacked with modified MySQL settings, can it be docker issue or container configuration issue ? i checked Dockerfile and steps seems to be correct and secure.

p.s.
I am very new to docker, i have installed it yesterday and this image was first thing i did ever deploy with docker .

And one last thing [offtopic] can anybody help me to access this docker image via winscp ? what is the root password of ssh ?

@geoker

This comment has been minimized.

Copy link

commented Apr 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.