What kind of attack's are they trying? Have you tested your website with tools like:
You must be registered to see the links
,
You must be registered to see the links
,
You must be registered to see the links
, ect,ect ?3D-LOAD.NET ... Down??
- Thread starter Esens424
- Start date
I don't know, I know that somehow they manage to access phpmyadmin and manage to delete it, they also leave a message called "z_readme_to_recover" in the form of a SQL table, with on it that if I want to recover the database I have to pay 0.5 BTC, I think it's some kind of ramsomware, but I'm not sure, it could be SQL injection. I honestly don't know what to do, now I tried to change the password of the database with a much more complex one, I also wanted to try to encrypt the database but I'm not able to... I also thought that it could be some vulnerability of some wordpress plugin, thanks for the advice! I will try it, for now I'm making as many backups as possible
If they deleted your phpmyadmin, was that the files on the drive, or database settings?
You probably want to change your SSH password.
Also, double check that your mysql db port isn't publicly available.
Rename your phpmyadmin web address to something other than /phpmyadmin
Put a .htaccess file in your phpmyadmin folder
You probably want to change your SSH password.
Also, double check that your mysql db port isn't publicly available.
Rename your phpmyadmin web address to something other than /phpmyadmin
Put a .htaccess file in your phpmyadmin folder
No, they don't delete the phpmyadmin folder or touch any mariadb or phpmyadmin settings (my.cfn), they just delete the database. The server root password is very complex i doubt they got in, also i have Fail2ban active and firewalld. of whether it's public or not this i don't know, i might try changing phpmyadmin port and putting .htaccess. thanks for all the advice!
It may be useless as you may have covered all the point's mentioned but just in case "
You must be registered to see the links
"in SSH:
netstat -tlpn | grep 3306
That will list all programs and bound IPs for any listening port on the default mysql (mariadb) port.
If you see something like :::3306 that means it's publicly available.
It should only ever be an explicitly localhost address (i.e. 127.0.0.1 or the IPv6 equivalent).
This is configured in the /etc/mysql/mariadb.conf.d/50-server.cnf file (on debian - I assume debian, since you're using mariadb), it is the "bind-address" option.
If you're remotely using a DB tool like MySQL Workbench (also works with mariadb), then you have to use "Standard TCP/IP over SSH" connection method.
Though it does sound like an SQL Injection, through some vulnerable code you've got installed.
You could permanently remove that possibility if you were also willing to disable comments/user logins (Use a 3rd party service instead).
You'd do it by having a second hidden website (like admin.3d-load.net, perhaps not so obvious) that is guarded by a .htaccess, and possible IP restrictions.
This install would have write-permissions for it's db user, and it would point to the same database.
The public version db username would have completely read-only permissions.
it appear in this way, does't appear to be public, I think
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 32407/mariadbd
For now I have disabled phpmyadmin access, meaning it brings back 404 page if you try to navigate to /phpmyadmin/
I see, so SQL injection happens through vulnerability of some portions of the site comments or forms? in case if it happens again I send a picture, but changing the password to the database could not solve the problem? because to access the profile you still need a password and a username.
however thinking about it this problem appeared since I changed server, could this be the problem as well? if yes changing machine could solve it?
I'm using Centos 7 with vestacp as a panel, unfortunately vestacp has all the configuration files wrong, it should be in /etc/my.cnf
this is my configuration:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
bind-address=127.0.0.1
skip-external-locking
skip-grant-tables
key_buffer_size = 256M
max_allowed_packet = 32M
table_open_cache = 256
sort_buffer_size = 1M
read_buffer_size = 1M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size= 64M
query_cache_limit = 1M
thread_concurrency = 8
tmp_table_size=64M
max_heap_table_size=64M
skip-name-resolve
slow-query-log=1
slow-query-log-file= /var/lib/mysql/mysql-slow-query.log
long-query-time=1
innodb-buffer-pool-size=26G
innodb_buffer_pool_instances=8
default-storage-engine=INNODB
[mariadb]
plugin_load_add = server_audit
server_audit=FORCE_PLUS_PERMANENT
server_audit_file_path=/var/log/mysql/mariadb-audit.log
server_audit_logging=ON
#innodb_use_native_aio = 0
innodb_file_per_table
max_connections=250
max_user_connections=50
wait_timeout=10
interactive_timeout=50
long_query_time=5
#slow_query_log=1
#slow_query_log_file=/var/log/mysql-slow-queries.log
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
You have the correct setting. That port is not public.
The SQL-Injection could be happening in any part. Depends on where the vulnerability is located.
Changing the password may not work, because you provide the password to wordpress, and some part of wordpress may be vulnerable to SQL Injection (bypasses any wordpress authentication).
It appears to be a non-targeted attack (ransom hack).
The hackers are probably scanning a certain range of IP addresses for vulnerabilities, which your new server's IP address is in, but your old server wasn't.
The extreme solution I posted above just removes any ability for (the public site) wordpress to change the database (legitimate or sql injection).
You would have to have a second locked-down website with db-write permissions (on same server) that is for your use only, so that you can make new posts.
Making the publicly viewable website use a different readonly db-user would just have the side-effect of disabling logins and user comments. It does not mean that the comments are the cause.
Ok it's been two days and couldn't hack the database thank you for the help, I really appreciate it!
They were probably accessing through phpmyadmin, but now that I disabled access they can't anymore
I was going to write it, thanks for the report, unfortunately it's not my fault I will try to fix it, maybe it is temporary
There is a server maintenance going on, it should be back up and running within 60 minutes
edit: 180 minutes instead 60
edit: 180 minutes instead 60
Last edited:
- Jul 31, 2018
- 562
- 894
Just testing, I forgot to change it again
if possible I would like to make it so that you can choose the theme preferred theme
if possible I would like to make it so that you can choose the theme preferred theme
Can you tell me if the site is working? Does it give you error 500? The loading speed seem to have improved?
Last edited: