MySQL hacked

[Carol Haynes]

Yesterday my server was hacked.

The behaviour was malicious and basically went through every database on the MySQL server and changed all user names to admin and all passwords to a single password.

This must have happened via the MySQL server directly because it affected all databases on the server for all client accounts.

As far as I can see no other damage was done.

Does anyone have any idea how this could have happened and how to prevent future attacks?

Currently a backup is being restored from before the incident but I don't want to have to go through this again if I can avoid it.

[Ath]

Someone ran an 'update' query, but forgot the where clause? Or a buggy script?

Yeah, I'm an optimist 

[Carol Haynes]

I know it seems an odd thing to do deliberately??

I could understand websites being defaced or other malicious things to do - this just seems strange.

To the best of my knowledge no one has done any many SQL queries and all the databases are separated by user under CPanel and each has its own single user and unique strong password so how could a rogue script on  one user account affect the databases on all user accounts?

[Tinman57]

  Yep, could have been the server admin ran a buggy script to make changes or update the server files.  Or even perhaps the server admin typed in a wrong command or a command he/she shouldn't have.  You would think that if it was with malicious intent, your database would have been trashed, unless someone just wanted a copy of all the users data.  You should contact the server admin and ask what's happening, just in case....

[Carol Haynes]

I have - but a lot more malicious activity has occurred since.

FWIW I have lost total confidence in nativespace.co.uk - I have been using them for a number of years and am paying a premium price because they are doing daily backups offsite. Now turns out they take the money and don't do the backups.

Up shit creek in a big way.

[Tinman57]

I have - but a lot more malicious activity has occurred since.

FWIW I have lost total confidence in nativespace.co.uk - I have been using them for a number of years and am paying a premium price because they are doing daily backups offsite. Now turns out they take the money and don't do the backups.

Up shit creek in a big way.

-Carol Haynes (May 21, 2013, 02:29 AM)

This site may be of some help:

Additional resources: hacked sites
We understand that having your site hacked is extremely frustrating, and that the cleanup process can be difficult. Fortunately, there are a number of great articles, blogs, tools, and companies that can help you restore and secure your site. For the record, StopBadware does not curate or maintain these resources.

https://www.stopbadw...cked-sites-resources

[mouser]

I'm so sorry to hear of your site trouble carol -- it could happen to anyone.  Try to stay calm and just do what you can do.

[Carol Haynes]

Thanks - getting there slowly.

Not helped by the data centre not maintaining backups as promised.

Today they restored a backup from 2012!!! Then, having spent half the afternoon working on it, they suddenly restored all the corrupted websites again undoing everything I had achieved (well mostly as I was backing up as I went along).

Why does this sort of crap give script kiddies such a thrill - it isn't even as if they see me squirm! Bastards should be castrated!

[rgdot]

Not sure if mentioned already-  or if you want to - but I would be curious which host this is?

[Carol Haynes]

A VPS on nativespace.co.uk

[rgdot]

Thanks.

[Carol Haynes]

To be fair the hacking isn't their fault - part of it rests with me as I still have some websites using Joomla 1.5 because extensions I used are not available for 2.5 or 3 or it is going to be a massive undertaking to upgrade them because of built in forums or shopping carts and the site owners don't want to pay me to maintain or upgrade their website. I can't really afford to upgrade those sites gratis as it is going to be a lot of hours of work. As it stands I am going to make it clear that I have a clean copy as of today and if there is a problem in the future that is the site that will be put back if they don't want my support - alternatively they can make their own backups and then the ball is in their court!

To be honest I think the simplest solution is to move those sites to individual hosting solutions off my VPS and let them deal with the headaches rather than have them let hacking issues affect the whole server.

[barney]

To be honest I think the simplest solution is to move those sites to individual hosting solutions off my VPS and let them deal with the headaches rather than have them let hacking issues affect the whole server.

-Carol Haynes (May 21, 2013, 08:04 PM)

'Twould seem that to be the most efficacious solution in the future ... albeit not a resolution, per se, for the current situation.  Although, I am confused ... do those clients expect you to protect them from every little foible?  Or is that a thing you're contracted to do?  If the latter, you might want to reexamine your current business plan.    (Been there, to a lesser extent, and got savaged due to lack of real and proper planning upon my part.)

[Carol Haynes]

I offer clients ongoing support - which includes website updates and backups but some decline to take it. At the moment I am sorting things out for everyone as a goodwill gesture but I don't want to have to go through all this again so I need to make it clear to people who don't want my support what the future consequences are.