This story happened on 10/06/2017, adding this post in English now. The original post (Rus) was written almost right after the well-known Not a Petya attack in Ukraine – that’s why it’s used in the title.
I had a new project assigned to me. When I started its existing setup investigation – was just shocked.
So.
A Data Science project, a bunch of MariaDB servers, each has from 10 to 150 databases.
During servers and their databases checking and by the way enabling the general log
, suddenly I discovered that one server has no databases at all excluding one with a weird PLEASE_READ
name:
[simterm]
MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | PLEASE_READ | | information_schema | | mysql | +--------------------+
[/simterm]
This database has one table with even more weird name – WARNING
:
[simterm]
MariaDB [(none)]> use PLEASE_READ; Database changed MariaDB [PLEASE_READ]> show tables; +-----------------------+ | Tables_in_PLEASE_READ | +-----------------------+ | WARNING | +-----------------------+
[/simterm]
Well… Maybe there is some caution regarding this server/database from previous admins/devops/developers?
Read its content:
[simterm]
MariaDB [PLEASE_READ]> select * from WARNING; +----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+ | id | warning | Bitcoin_Address | Email | +----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+ | 1 | Send 0.5 BTC to this address and go to this site http://es7ocnlet5vyulh5.onion/ to recover your database! SQL dump will be available after payment! | 14UhC8s4hUUCmwT31RqVbDB7dgoBxT4oXg | [email protected] | +----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+
[/simterm]
On the email box “[email protected]” I googled the next post:
https://www.guardicore.com/2017/02/0-2-btc-strikes-back-now-attacking-mysql-databases/
But that was only the very beginning of the whole history!
On the next investigation found that:
- MySQL
root
was without password root
has access from anywhere, i.e.'root'@'%'
- all AWS EC2 instances with MariaDB instances have external IPs
- a single AWS Security Groups used by all those instances has two Allow rules to ports 22 and 3306 from the 0.0.0.0 network…
[simterm]
MariaDB [mysql]> select host,password from user where user = 'root'; +-----------------------------+-----------+ | host | password | +-----------------------------+-----------+ | localhost | | | hostname.domain.com | | | 127.0.0.1 | | | % | | +-----------------------------+-----------+
[/simterm]
And access from anywhere on the Internet:
[simterm]
$ mysql -u root -h 52.***.***.37 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 55560 Server version: 10.1.17-MariaDB-1~xenial mariadb.org binary distribution Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
[/simterm]
Once again:
As a result – on 4 from 11 DB servers all databases were wiped out.
On other servers – root has access only from localhost – and this saved their databases.
On one of the servers I saw the connection attempt before I disabled network access at all for all those instances:
[simterm]
... 43293 Connect Access denied for user 'root'@'182.255.63.166' (using password: NO)
[/simterm]
China, although this doesn’t give anything:
[simterm]
irt: IRT-CYHADCL-CN address: UNIT 04,7/F,BRIGHT WAY TOWER,NO. 33 MONG KOK ROAD,KOWLOON, hong kong hong kong e-mail: [email protected] abuse-mailbox: [email protected] admin-c: KHNT2-AP tech-c: KHNT2-AP auth: # Filtered mnt-by: MAINT-CYHADCL-CN
[/simterm]
“It was a good day today” (c)