Find the answer to your Linux question:
Results 1 to 5 of 5
Hie! My Linux server which is running my company website have been hacked. Today I saw a number of clients (customers) with some fun characters entries on my database. Access ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2009
    Location
    South Africa
    Posts
    30

    MySql server compromised


    Hie! My Linux server which is running my company website have been hacked. Today I saw a number of clients (customers) with some fun characters entries on my database. Access denial on really clients. Please assist, am running Linux Ubuntu 9. I think my server is hacked. How do I closed the loopholes and see which area did the hacked entered on.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,444
    How do I closed the loopholes and see which area did the hacked entered on.
    Unless there is a file integrity scanner in place and well maintained: No way to be sure, what was changed/modified.
    What you can do is to trace logfiles and try to figure out, how you were attacked.

    If that is indeed the case.
    Stange characters on a site can als well be wrong encoding, update issues, user error, hardware failure, etc.


    However, if you find evidence of intrusion: disconnect the machine from network.
    Install a new one, configure it, check data before you copy it to the new machine.
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    May 2009
    Location
    South Africa
    Posts
    30
    the strange character only appears on the clients names but the site itself is fine. The intrusion is on the mysql (maybe a mysql injection). The client username for instance is perfectpol and then the fun character added like this *#^^perfectpol. The real clents now are nolonger able to loggin to the site.

    How do i install that file integrity checker on ubuntu?

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,444
    After an intrusion, a installation of a file integrity scanner is pointless.
    Also, it wouldnt help for a sql injection.
    To prevent that, input from any source (web, commandline, etc) must be checked and sanitized before an sql update or insert.


    Ok, if you are sure, that it is an attack and not some code malfuction.
    Then see above: disconnect, install another box, configure, import clean data.

    And in parallel: find out how you were attacked and close that hole.
    You must always face the curtain with a bow.

  6. #5
    Just Joined!
    Join Date
    May 2006
    Posts
    73
    Did you change the default admin password on MySQL? Every hacker in the world knows the default password. They will also try various commonly used passwords so the new admin password for MySQL needs to be reasonably strong.

    It's possible your database was actually corrupted rather than hacked. In either case you need to pull up your latest backup and overwrite the damaged database. Save off a copy first as you might be able to salvage some of the transactions since your last backup and restore them.

    Depending on your logging levels with MySQL and assuming that your using Apache since you said a possible injection attack you should see the attack taking place from the logs. Note the IP address if it is a single IP address and ban that IP as well as contact the ISP that owns that IP address to let them know your machine was attacked from there. Install fail2ban as well as you might be systematically attacked.

    Here is a basic howto on securing MySQL
    MySQL :: MySQL 5.0 Reference Manual :: 2.18.2 Securing the Initial MySQL Accounts
    Close the firewall for MySQL and or airgap your server until you've secured it. Set up a log watch utility to watch your MySQL and Apache logs for a time to alert you too further attacks.

    In this case using intrustion detection software like snort will not be much help because the database files are constantly modified and the danger is not that they are modified but how they are modified/by whom they are modified. Intrusion detection software is a must however on production servers. snort and aide are two of the better ones. Both can be found in the repositories of almost every major distro. So too is chkrootkit run as a cron job every day and you want to actually check the security logs every day as well on an outward facing production server like this. /var/log/security being on of the more important log files to watch.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •