This story happened on 10/06/2017, adding this post in English now. The original post (Rus) was written almost right after the well-known Not a Petya attack in Ukraine – that’s why it’s used in the title.
I had a new project assigned to me. When I started its existing setup investigation – was just shocked.
So.
A Data Science project, a bunch of MariaDB servers, each has from 10 to 150 databases.
During servers and their databases checking and by the way enabling the general log, suddenly I discovered that one server has no databases at all excluding one with a weird PLEASE_READ name:
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| PLEASE_READ |
| information_schema |
| mysql |
+--------------------+
This database has one table with even more weird name – WARNING:
MariaDB [(none)]> use PLEASE_READ;
Database changed
MariaDB [PLEASE_READ]> show tables;
+-----------------------+
| Tables_in_PLEASE_READ |
+-----------------------+
| WARNING |
+-----------------------+
Well… Maybe there is some caution regarding this server/database from previous admins/devops/developers?
Read its content:
MariaDB [PLEASE_READ]> select * from WARNING;
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+
| id | warning | Bitcoin_Address | Email |
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+
| 1 | Send 0.5 BTC to this address and go to this site http://es7ocnlet5vyulh5.onion/ to recover your database! SQL dump will be available after payment! | 14UhC8s4hUUCmwT31RqVbDB7dgoBxT4oXg | backupbase@mail2tor.com |
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+
On the email box “backupservice@mail2tor.com” I googled the next post:
https://www.guardicore.com/2017/02/0-2-btc-strikes-back-now-attacking-mysql-databases/
But that was only the very beginning of the whole history!
On the next investigation found that:
- MySQL
rootwas without password -
roothas access from anywhere, i.e.'root'@'%' - every AWS EC2 instance with MariaDB server has external IPs
- a single AWS Security Groups used by all those instances has two Allow rules to ports 22 and 3306 from the 0.0.0.0 network…
MariaDB [mysql]> select host,password from user where user = 'root';
+-----------------------------+-----------+
| host | password |
+-----------------------------+-----------+
| localhost | |
| hostname.domain.com | |
| 127.0.0.1 | |
| % | |
+-----------------------------+-----------+
And access from anywhere on the Internet:
$ mysql -u root -h 52.***.***.37
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 55560
...
MariaDB [(none)]>
Once again:
As a result – on 4 from 11 DB servers all databases were wiped out.
On other servers – root has access only from localhost – and this saved their databases.
On one of the servers I saw the connection attempt before I disabled network access at all for all those instances:
...
43293 Connect Access denied for user 'root'@'182.255.63.166' (using password: NO)
China, although this doesn’t give anything:
irt: IRT-CYHADCL-CN
address: UNIT 04,7/F,BRIGHT WAY TOWER,NO. 33 MONG KOK ROAD,KOWLOON, hong kong hong kong
e-mail: admin@kwaihingidc.com
abuse-mailbox: admin@kwaihingidc.com
admin-c: KHNT2-AP
tech-c: KHNT2-AP
auth: # Filtered
mnt-by: MAINT-CYHADCL-CN
“It was a good day today” (c)
Top comments (2)
I feel actual pain from reading this :O
I'm kind of amazed I hadn't heard of unsecured databases being held for ransom until now. Thanks for sharing!