OT - PLEASE_READ_ME_XMG - database hack!!!!!

OT - PLEASE_READ_ME_XMG - database hack!!!!!

Postby Marc Vanzegbroeck » Fri Apr 19, 2019 6:06 am

Hi,

I just want to warn you that they also hack the SQL-databases.
I have some customers that use a Synology NAS. On that NAS you van install MariaDB.
That is working fine, and is a low cost server solution.

Yesterday a client contacted me tha my prograg give an error at startup.
I logged-in remotely, and to my suprice, if I open te SQL-database with HeidiSQL, my database was gone and an othe database was created, called PLEASE_READ_ME_XMG
In that that thatbase is 1 record with a field containing the text:
Code: Select all  Expand view
To recover your lost data : Send 0.045 BTC to our BitCoin Address and Contact us by eMail with your server IP Address or Domain Name and a Proof of Payment. Any eMail without your server IP Address or Domain Name and a Proof of Payment together will be ignored. Your File and DataBase is downloaded and backed up on our servers. If we dont receive your payment,we will delete your databases


Luckely the sustomer made a backup the day before, so I could restore the database.

Does anyone els had this problem?
How can I protect myself to that attact again? It's very strange, the didn't deleted or crypted the files on the NAS, only the SQL-data.

I googled the problem,and found:
https://draculaservers.com/tutorials/update-secure-phpmyadmin/
So probably a problem with phpMyAdmin, otherwise thay had to hack the password of the NAS, and the password of the database. If they had the password of the NAS, the would dhave deleted also the other files
Regards,
Marc

FWH32+xHarbour | FWH64+Harbour | BCC | DBF | ADO+MySQL | ADO+MariaDB | ADO+SQLite
Marc Vanzegbroeck
 
Posts: 1159
Joined: Mon Oct 17, 2005 5:41 am
Location: Belgium

Re: OT - PLEASE_READ_ME_XMG - database hack!!!!!

Postby Otto » Fri Apr 19, 2019 8:13 am

Hello Marc,
it seems to me as the original database file is encrypted as a whole and instead a new one created.
I do not think you can prevent this situation.
For my servers I use my own Fivewin Anti-Ransomware
viewtopic.php?f=3&t=35900&p=213838&hilit=ransom#p213838
as extra protection.
I also found a product with which you can switch off the USB interface via a command call,
I only turn on the external hard drive during backup. I have seen many encrypted backups too.

Image

We also load the backup logfiles into the company every day and check if the disks are changed and if the backups were successful.
If anyone is seriously interested in evolving develop of these safety features, then please report and contact me.

screenshot from our FIVEWIN backup monitor

Image


Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6330
Joined: Fri Oct 07, 2005 7:07 pm

Re: OT - PLEASE_READ_ME_XMG - database hack!!!!!

Postby Rick Lipkin » Fri Apr 19, 2019 3:46 pm

Marc

Sounds like you got lucky .. however if your data was NOT encrypted your customers database may be visible to the attackers .. credit card info, addresses, phone numbers and the like may have been compromised ..

If that is the case if the data was NOT encrypted, you owe that information to your customer to let them know their data may be at risk.

Rick Lipkin
User avatar
Rick Lipkin
 
Posts: 2665
Joined: Fri Oct 07, 2005 1:50 pm
Location: Columbia, South Carolina USA

Re: OT - PLEASE_READ_ME_XMG - database hack!!!!!

Postby Marc Vanzegbroeck » Fri Apr 19, 2019 4:51 pm

Rick,

The database was password-protected (MariaDB-SQL). So I was hoping that was enough.
Since I use the Synology NAS, I couldn't verify the files, if they are crypted.
The files are stored on a place that can't be accessed to the customer or Admin-account.
I think there is a leak in 'phpMyAdmin'. With that program, I can manage the SQL-database on the NAS

Rick Lipkin wrote:Marc

Sounds like you got lucky .. however if your data was NOT encrypted your customers database may be visible to the attackers .. credit card info, addresses, phone numbers and the like may have been compromised ..

If that is the case if the data was NOT encrypted, you owe that information to your customer to let them know their data may be at risk.

Rick Lipkin
Regards,
Marc

FWH32+xHarbour | FWH64+Harbour | BCC | DBF | ADO+MySQL | ADO+MariaDB | ADO+SQLite
Marc Vanzegbroeck
 
Posts: 1159
Joined: Mon Oct 17, 2005 5:41 am
Location: Belgium

Re: OT - PLEASE_READ_ME_XMG - database hack!!!!!

Postby Otto » Fri Apr 19, 2019 6:47 pm

Hello,
therefore we use Data-at-Rest Encryption and we store the password in menory of the server.
So also if someone gets access to the files the files are endrypted.
Best regards
Otto
********************************************************************
mod harbour - Vamos a la conquista de la Web
modharbour.org
https://www.facebook.com/groups/modharbour.club
********************************************************************
User avatar
Otto
 
Posts: 6330
Joined: Fri Oct 07, 2005 7:07 pm

Re: OT - PLEASE_READ_ME_XMG - database hack!!!!!

Postby horacio » Fri Apr 19, 2019 10:52 pm

To avoid attacks it is important not to use the default port of mysql (3306). Assign another port and a strong password.

regards
horacio
 
Posts: 1363
Joined: Wed Jun 21, 2006 12:39 am
Location: Capital Federal Argentina


Return to FiveWin for Harbour/xHarbour

Who is online

Users browsing this forum: No registered users and 60 guests