loading...

MySQL/MariaDB: like a Petya ransomware for MySQL and ‘root’@’%’ access

setevoy profile image Arseny Zinchenko Originally published at rtfm.co.ua on ・3 min read

This story happened on 10/06/2017, adding this post in English now. The original post (Rus) was written almost right after the well-known Not a Petya attack in Ukraine – that’s why it’s used in the title.

I had a new project assigned to me. When I started its existing setup investigation – was just shocked.

So.

A Data Science project, a bunch of MariaDB servers, each has from 10 to 150 databases.

During servers and their databases checking and by the way enabling the general log, suddenly I discovered that one server has no databases at all excluding one with a weird PLEASE_READ name:

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| PLEASE_READ        |
| information_schema |
| mysql              |
+--------------------+

This database has one table with even more weird name – WARNING:

MariaDB [(none)]> use PLEASE_READ;
Database changed
MariaDB [PLEASE_READ]> show tables;
+-----------------------+
| Tables_in_PLEASE_READ |
+-----------------------+
| WARNING               |
+-----------------------+

Well… Maybe there is some caution regarding this server/database from previous admins/devops/developers?

Read its content:

MariaDB [PLEASE_READ]> select * from WARNING;
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+
| id | warning                                                                                                                                             | Bitcoin_Address                    | Email                   |
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+
|  1 | Send 0.5 BTC to this address and go to this site http://es7ocnlet5vyulh5.onion/ to recover your database! SQL dump will be available after payment! | 14UhC8s4hUUCmwT31RqVbDB7dgoBxT4oXg | backupbase@mail2tor.com |
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------+-------------------------+

On the email box “backupservice@mail2tor.com” I googled the next post:

https://www.guardicore.com/2017/02/0-2-btc-strikes-back-now-attacking-mysql-databases/

But that was only the very beginning of the whole history!

On the next investigation found that:

  1. MySQL root was without password
  2. root has access from anywhere, i.e. 'root'@'%'
  3. every AWS EC2 instance with MariaDB server has external IPs
  4. a single AWS Security Groups used by all those instances has two Allow rules to ports 22 and 3306 from the 0.0.0.0 network…
MariaDB [mysql]> select host,password from user where user = 'root';
+-----------------------------+-----------+
| host                        | password  |
+-----------------------------+-----------+
| localhost                   |           |
| hostname.domain.com         |           |
| 127.0.0.1                   |           |
| %                           |           |
+-----------------------------+-----------+

And access from anywhere on the Internet:

$ mysql -u root -h 52.***.***.37
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 55560
...
MariaDB [(none)]>

Once again:

As a result – on 4 from 11 DB servers all databases were wiped out.

On other servers – root has access only from localhost – and this saved their databases.

On one of the servers I saw the connection attempt before I disabled network access at all for all those instances:

...
43293 Connect   Access denied for user 'root'@'182.255.63.166' (using password: NO)

China, although this doesn’t give anything:

irt:            IRT-CYHADCL-CN
address:        UNIT 04,7/F,BRIGHT WAY TOWER,NO. 33 MONG KOK ROAD,KOWLOON, hong kong hong kong
e-mail:         admin@kwaihingidc.com
abuse-mailbox:  admin@kwaihingidc.com
admin-c:        KHNT2-AP
tech-c:         KHNT2-AP
auth:           # Filtered
mnt-by:         MAINT-CYHADCL-CN

“It was a good day today” (c)

Similar posts

Posted on by:

setevoy profile

Arseny Zinchenko

@setevoy

DevOps, cloud and infrastructure engineer. Love Linux, OpenSource, and AWS.

Discussion

pic
Editor guide
 

I feel actual pain from reading this :O

 

I'm kind of amazed I hadn't heard of unsecured databases being held for ransom until now. Thanks for sharing!