MySQL/MariaDB: like Petya ransomware for MySQL and ‘root’@’%’ access

By | 04/03/2019
 

This story happened on 10/06/2017, adding this post in English now. The original post (Rus) was written almost right after the well-known Not a Petya attack in Ukraine – that’s why it’s used in the title.

I had a new project assigned to me. When I started its existing setup investigation – was just shocked.

So.

A Data Science project, a bunch of MariaDB servers, each has from 10 to 150 databases.

During servers and their databases checking and by the way enabling the general log, suddenly I discovered that one server has no databases at all excluding one with a weird PLEASE_READ name:

[simterm]

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| PLEASE_READ        |
| information_schema |
| mysql              |
+--------------------+

[/simterm]

This database has one table with even more weird name – WARNING:

[simterm]

MariaDB [(none)]> use PLEASE_READ;

Database changed
MariaDB [PLEASE_READ]> show tables;
+-----------------------+
| Tables_in_PLEASE_READ |
+-----------------------+
| WARNING               |
+-----------------------+

[/simterm]

Well… Maybe there is some caution regarding this server/database from previous admins/devops/developers?

Read its content:

[simterm]

MariaDB [PLEASE_READ]> select * from WARNING;
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+
| id | warning                                                                                                                                             | Bitcoin_Address                    | Email                   |
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+
|  1 | Send 0.5 BTC to this address and go to this site http://es7ocnlet5vyulh5.onion/ to recover your database! SQL dump will be available after payment! | 14UhC8s4hUUCmwT31RqVbDB7dgoBxT4oXg | [email protected] |
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+

[/simterm]

On the email box “[email protected]” I googled the next post:

https://www.guardicore.com/2017/02/0-2-btc-strikes-back-now-attacking-mysql-databases/

But that was only the very beginning of the whole history!

On the next investigation found that:

  1. MySQL root was without password
  2. root has access from anywhere, i.e. 'root'@'%'
  3. all AWS EC2 instances with MariaDB instances have external IPs 
  4. a single AWS Security Groups used by all those instances has two Allow rules to ports 22 and 3306 from the 0.0.0.0 network…

[simterm]

MariaDB [mysql]> select host,password from user where user = 'root';
+-----------------------------+-----------+
| host                        | password  |
+-----------------------------+-----------+
| localhost                   |           |
| hostname.domain.com         |           |
| 127.0.0.1                   |           |
| %                           |           |
+-----------------------------+-----------+

[/simterm]

And access from anywhere on the Internet:

[simterm]

$ mysql -u root -h 52.***.***.37
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 55560
Server version: 10.1.17-MariaDB-1~xenial mariadb.org binary distribution

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

[/simterm]

Once again:

As a result – on 4 from 11 DB servers all databases were wiped out.

On other servers – root has access only from localhost – and this saved their databases.

On one of the servers I saw the connection attempt before I disabled network access at all for all those instances:

[simterm]

...
43293 Connect   Access denied for user 'root'@'182.255.63.166' (using password: NO)

[/simterm]

China, although this doesn’t give anything:

[simterm]

irt:            IRT-CYHADCL-CN
address:        UNIT 04,7/F,BRIGHT WAY TOWER,NO. 33 MONG KOK ROAD,KOWLOON, hong kong hong kong
e-mail:         [email protected]
abuse-mailbox:  [email protected]
admin-c:        KHNT2-AP
tech-c:         KHNT2-AP
auth:           # Filtered
mnt-by:         MAINT-CYHADCL-CN

[/simterm]

“It was a good day today” (c)