All my databases have dissappeared

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

All my databases have dissappeared

Post by impulse() »

All my databases have literally disappeared leaving me with only 'information_schema' & 'mysql'. Are there any known exploits going around at the moment? My system was up to date as I've used Yum a couple of nights ago. I didn't take any extra pre-caution to guard my system so my inital thoughts are that it was an attack. No important data was lost, it just all had sentimental value as it contained databases from when I started to learn MySQL so I feel really sad that they're all gone.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Did you change the default root user's password? Was it a strong one? Is the server set to accept remote connections? What have you done recently in the database?
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

Post by impulse() »

The password was changed to a password that contain alpha-numeric data. My box seemed to be attack central though, everybody was having a crack at it. I had to install Denyhosts in the end because my error logs were being crowded with failed SSH logins.
I haven't added a database onto my system for over a week and the databases that were there were just counters and login/persons information.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

impulse() wrote:The password was changed to a password that contain alpha-numeric data. My box seemed to be attack central though, everybody was having a crack at it. I had to install Denyhosts in the end because my error logs were being crowded with failed SSH logins.
I haven't added a database onto my system for over a week and the databases that were there were just counters and login/persons information.
Actually this is quite normal. Bots generally crawl the net and try a whole dictionary of usernames and passwords; it's nothing to worry about if you have a strong password (mixture of casing, use a special character, numbers and letters).

When did you last backup the data?

Also, unlikely but is it possible something as stupid as the datadir has been changed?

Does the root user's history reveal anything? This would be unlikely if you were cracked by somebody who knew what they were doing.

After having similar things happen to me in the past it's just become common practise to me to do a remote backup once a day, and to change root passwords at least once a month to a random combination of characers.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Are the table files really gone?
What files/directories are in your mysql data directory?
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

Post by impulse() »

Hello.

MySQL data directory contains only 'mysql'. The other directories are gone.

I never thought this would happen so I didn't create any backup data.

I strongly believe it was an unskilled attack. I've tried to access PHPMyAdmin (http://x.com/phpmyadmin) from my work computer and I'm able to create, edit and delete databases without any requirement for a username or password. I've also received an e-mail from the mail() function on my website that asks
Your database is dead?
No-one has ever used the e-mail function on my website before to send me an e-mail. Also that mail was sent shortly after a lack of activity on Apaches access log. I have the I.P address of who I suspect did this but I suppose in the future I'll be glad this happened.

At least I've learned a lesson here and any future databases I create I will put my highest effort into securing them.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

...and remove phpMyAdmin.
impulse()
Forum Regular
Posts: 748
Joined: Wed Aug 09, 2006 8:36 am
Location: Staffordshire, UK
Contact:

Post by impulse() »

Should I be setting it to only be accessible locally?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If you must keep it, you have to adjust the security settings and place it in a completely unrelated directory. Bots regularly check for obvious locations like /phpmyadmin. .. and since you chose to leave it completely unsecured, it was only a matter of time before you had your database tampered with or downloaded.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Learn to use MySQL through the command line. phpMyAdmin is just another place to open up possible security holes.

Indeed, you have learned something. No server or website, regardless of significance or size is safe from being exploited/attacked. I used to (on a very bad shared host) get web pages vandalised which were not even built fully yet. I've never been subjected to an attack on any of my databases (touch wood) but at least, if anything were to happen I would lose 24 hours at the very most. Very quickly upgrade anything signifcant after promptly changing all passwords and then keep an eye on things.
Post Reply