FiveTech Software tech support forums

[Marc Vanzegbroeck]

Hi,

I just want to warn you that they also hack the SQL-databases.
I have some customers that use a Synology NAS. On that NAS you van install MariaDB.
That is working fine, and is a low cost server solution.

Yesterday a client contacted me tha my prograg give an error at startup.
I logged-in remotely, and to my suprice, if I open te SQL-database with HeidiSQL, my database was gone and an othe database was created, called PLEASE_READ_ME_XMG
In that that thatbase is 1 record with a field containing the text:

Code: Select all  Expand view

To recover your lost data : Send 0.045 BTC to our BitCoin Address and Contact us by eMail with your server IP Address or Domain Name and a Proof of Payment. Any eMail without your server IP Address or Domain Name and a Proof of Payment together will be ignored. Your File and DataBase is downloaded and backed up on our servers. If we dont receive your payment,we will delete your databases

Luckely the sustomer made a backup the day before, so I could restore the database.

Does anyone els had this problem?
How can I protect myself to that attact again? It's very strange, the didn't deleted or crypted the files on the NAS, only the SQL-data.

I googled the problem,and found:
https://draculaservers.com/tutorials/update-secure-phpmyadmin/
So probably a problem with phpMyAdmin, otherwise thay had to hack the password of the NAS, and the password of the database. If they had the password of the NAS, the would dhave deleted also the other files

[Otto]

Hello Marc,
it seems to me as the original database file is encrypted as a whole and instead a new one created.
I do not think you can prevent this situation.
For my servers I use my own Fivewin Anti-Ransomware
viewtopic.php?f=3&t=35900&p=213838&hilit=ransom#p213838
as extra protection.
I also found a product with which you can switch off the USB interface via a command call,
I only turn on the external hard drive during backup. I have seen many encrypted backups too.



We also load the backup logfiles into the company every day and check if the disks are changed and if the backups were successful.
If anyone is seriously interested in evolving develop of these safety features, then please report and contact me.

screenshot from our FIVEWIN backup monitor




Best regards
Otto

[Rick Lipkin]

Marc

Sounds like you got lucky .. however if your data was NOT encrypted your customers database may be visible to the attackers .. credit card info, addresses, phone numbers and the like may have been compromised ..

If that is the case if the data was NOT encrypted, you owe that information to your customer to let them know their data may be at risk.

Rick Lipkin

[Marc Vanzegbroeck]

Rick,

The database was password-protected (MariaDB-SQL). So I was hoping that was enough.
Since I use the Synology NAS, I couldn't verify the files, if they are crypted.
The files are stored on a place that can't be accessed to the customer or Admin-account.
I think there is a leak in 'phpMyAdmin'. With that program, I can manage the SQL-database on the NAS

Marc

Sounds like you got lucky .. however if your data was NOT encrypted your customers database may be visible to the attackers .. credit card info, addresses, phone numbers and the like may have been compromised ..

If that is the case if the data was NOT encrypted, you owe that information to your customer to let them know their data may be at risk.

Rick Lipkin

[Otto]

Hello,
therefore we use Data-at-Rest Encryption and we store the password in menory of the server.
So also if someone gets access to the files the files are endrypted.
Best regards
Otto

[horacio]

To avoid attacks it is important not to use the default port of mysql (3306). Assign another port and a strong password.

regards