Page 1 of 1
All my databases have dissappeared
Posted: Fri Nov 17, 2006 7:09 pm
by impulse()
All my databases have literally disappeared leaving me with only 'information_schema' & 'mysql'. Are there any known exploits going around at the moment? My system was up to date as I've used Yum a couple of nights ago. I didn't take any extra pre-caution to guard my system so my inital thoughts are that it was an attack. No important data was lost, it just all had sentimental value as it contained databases from when I started to learn MySQL so I feel really sad that they're all gone.
Posted: Sat Nov 18, 2006 12:03 am
by feyd
Did you change the default root user's password? Was it a strong one? Is the server set to accept remote connections? What have you done recently in the database?
Posted: Sat Nov 18, 2006 3:46 am
by impulse()
The password was changed to a password that contain alpha-numeric data. My box seemed to be attack central though, everybody was having a crack at it. I had to install Denyhosts in the end because my error logs were being crowded with failed SSH logins.
I haven't added a database onto my system for over a week and the databases that were there were just counters and login/persons information.
Posted: Sat Nov 18, 2006 6:47 am
by Chris Corbyn
impulse() wrote:The password was changed to a password that contain alpha-numeric data. My box seemed to be attack central though, everybody was having a crack at it. I had to install Denyhosts in the end because my error logs were being crowded with failed SSH logins.
I haven't added a database onto my system for over a week and the databases that were there were just counters and login/persons information.
Actually this is quite normal. Bots generally crawl the net and try a whole dictionary of usernames and passwords; it's nothing to worry about if you have a strong password (mixture of casing, use a special character, numbers and letters).
When did you last backup the data?
Also, unlikely but is it possible something as stupid as the datadir has been changed?
Does the root user's history reveal anything? This would be unlikely if you were cracked by somebody who knew what they were doing.
After having similar things happen to me in the past it's just become common practise to me to do a remote backup once a day, and to change root passwords at least once a month to a random combination of characers.
Posted: Sat Nov 18, 2006 8:54 am
by volka
Are the table files really gone?
What files/directories are in your mysql data directory?
Posted: Sat Nov 18, 2006 9:37 am
by impulse()
Hello.
MySQL data directory contains only 'mysql'. The other directories are gone.
I never thought this would happen so I didn't create any backup data.
I strongly believe it was an unskilled attack. I've tried to access PHPMyAdmin (
http://x.com/phpmyadmin) from my work computer and I'm able to create, edit and delete databases without any requirement for a username or password. I've also received an e-mail from the mail() function on my website that asks
Your database is dead?
No-one has ever used the e-mail function on my website before to send me an e-mail. Also that mail was sent shortly after a lack of activity on Apaches access log. I have the I.P address of who I suspect did this but I suppose in the future I'll be glad this happened.
At least I've learned a lesson here and any future databases I create I will put my highest effort into securing them.
Posted: Sat Nov 18, 2006 9:59 am
by feyd
...and remove phpMyAdmin.
Posted: Sat Nov 18, 2006 10:06 am
by impulse()
Should I be setting it to only be accessible locally?
Posted: Sat Nov 18, 2006 10:12 am
by feyd
If you must keep it, you have to adjust the security settings and place it in a completely unrelated directory. Bots regularly check for obvious locations like /phpmyadmin. .. and since you chose to leave it completely unsecured, it was only a matter of time before you had your database tampered with or downloaded.
Posted: Sat Nov 18, 2006 12:00 pm
by Chris Corbyn
Learn to use MySQL through the command line. phpMyAdmin is just another place to open up possible security holes.
Indeed, you have learned something. No server or website, regardless of significance or size is safe from being exploited/attacked. I used to (on a very bad shared host) get web pages vandalised which were not even built fully yet. I've never been subjected to an attack on any of my databases (touch wood) but at least, if anything were to happen I would lose 24 hours at the very most. Very quickly upgrade anything signifcant after promptly changing all passwords and then keep an eye on things.