It is currently Wed Jun 16, 2021 8:19 am
All times are UTC + 8 hours

MariaDB/MySQL security breach - hijacked ransomware

A set of PHP-scripts to manage MySQL over the web.

MariaDB/MySQL security breach - hijacked ransomware

Postby krunchynug8 » Thu Jun 11, 2020 9:25 am

This was installed from the official Asustor App Central.
I just updated the MariaDB app this morning and was greeted with this message.
Ransom demand to release my database in PHPMYAdmin. My databases were deleted.

I don't believe how blatantly this happened. <strike>How did they get access to the official Asustor App Central to inject this?</strike> :evil:

Annotation 2020-06-11 102643.jpg
Annotation 2020-06-11 102643.jpg (166.51 KiB) Viewed 1860 times

Annotation 2020-06-11 102717.jpg
Annotation 2020-06-11 102717.jpg (97.34 KiB) Viewed 1860 times

2020-06-11-11-06-www.asustor.com.png
2020-06-11-11-06-www.asustor.com.png (942.48 KiB) Viewed 1860 times



{-------------------UPDATE----------------------}
Looks like this is what happened to me
https://www.scmagazineuk.com/hackers-hi ... le/1475201

I guess it was because I had the default asustor admin and pass set for myPHPAdmin
It was probably a botnet scanning through my exposed ports.
I should be more careful from now on.

Let this be a lesson to those reading this.
Protect your database and harden it:
https://draculaservers.com/tutorials/up ... phpmyadmin
https://www.ispsystem.com/news/please-r ... ing-attack

It was a mere coincidence that Asustor released an update to MariaDB just the same day that I got attacked.
I believe the APP Central was not to blame for this.
If the admins decide to take this post down. By all means please do.
Last edited by krunchynug8 on Mon Jun 15, 2020 12:02 pm, edited 3 times in total.
krunchynug8
 
Posts: 12
Joined: Thu May 28, 2020 1:30 pm

Re: Official APP Central - MariaDB app security breach

Postby krunchynug8 » Thu Jun 11, 2020 9:54 am

Link to the infected app uploaded online.
MariaDB v10.0.28.r28 uploaded 2020-06-10

https://send.firefox.com/download/820f4 ... QLfoT4q7iQ
krunchynug8
 
Posts: 12
Joined: Thu May 28, 2020 1:30 pm

Re: Official APP Central - MariaDB app security breach

Postby ilike2burnthing » Thu Jun 11, 2020 10:29 am

What makes you think that the issue is on Asustor's end and not yours?

Your version is the same as available from Asustor, which clears VirusTotal and Hybrid Analysis scans (ignoring the broken MetaDefender results). That doesn't mean it's not malicious of course, just raises a lot of doubt.
ilike2burnthing
 
Posts: 173
Joined: Thu Apr 09, 2020 8:01 pm

Re: Official APP Central - MariaDB app security breach

Postby krunchynug8 » Thu Jun 11, 2020 10:35 am

For one I installed it from the official Asustor App Central.
Second it is also showing up on the oficial Asustor Website. the previous version was r21.
Third you can install it from your App Central and find out or you could check if r28 shows up in your App Central and report here.

Also I think it is a modified copy of the database and not a script or batch or virus that it will be detected in virus scans. It is way too simple to be detected as a virus.
How do you suggest the issue is on my end? Because I did not side load this app or upload it from an unofficial source.
My database was perfect before updating.
I am just trying to warn everyone so that no one else gets their databases destroyed.
Last edited by krunchynug8 on Thu Jun 11, 2020 10:38 am, edited 1 time in total.
krunchynug8
 
Posts: 12
Joined: Thu May 28, 2020 1:30 pm

Re: Official APP Central - MariaDB app security breach

Postby orion » Thu Jun 11, 2020 10:38 am

WOW! :o
You do not enable MariaDB remote access (same as me). Did you enable ADM access from internet? If yes, someone can guess your admin's password to hijack your NAS.
User avatar
orion
 
Posts: 3066
Joined: Wed May 29, 2013 11:09 am

Re: Official APP Central - MariaDB app security breach

Postby krunchynug8 » Thu Jun 11, 2020 10:42 am

Yes my remote access is always switched off for MariaDB and yes remote ADM access is turned on.
I have regular root account turned off and use my custom username and have firewall setup to block access from all regions except Australia.
Just checked my connection logs nothing suspicious there.

Also can someone get me the previous APK r21 so that I can get MariaDB back up and running and remove this new infected app.
krunchynug8
 
Posts: 12
Joined: Thu May 28, 2020 1:30 pm

Re: Official APP Central - MariaDB app security breach

Postby ilike2burnthing » Thu Jun 11, 2020 11:36 am

None of those facts preclude the chance that the issue is on your end though. Don't get me wrong, it could be that Asustor was hacked, or some disgruntled employee did it, I just kinda doubt it.

Previous version - http://appdownload.asustor.com/0010_999 ... x86-64.apk (this may get updated automatically though)

You can see all apps here - http://appdownload.asustor.com/

As Orion said, it could be that someone gained access to your NAS or account. Have you checked - https://haveibeenpwned.com/ ? Granted, that's not the only way for your details to end up in the hands of someone who means you harm.

It could also be due to an insecure network or NAS setup, though your last comment suggests not the latter, and the former is very unlikely.

Have you run a variety of malware scans on all local devices?
ilike2burnthing
 
Posts: 173
Joined: Thu Apr 09, 2020 8:01 pm

Re: Official APP Central - MariaDB app security breach

Postby krunchynug8 » Thu Jun 11, 2020 11:47 am

You are right. It might be on my end. I am doing some following up on my end. Erased the ransom entry from my database.
Installed r28 and logged in that entry was not recreated.
I am running scans to see if I come up with anything.

Will keep you posted.
Thanks
krunchynug8
 
Posts: 12
Joined: Thu May 28, 2020 1:30 pm

Re: Official APP Central - MariaDB app security breach

Postby krunchynug8 » Thu Jun 11, 2020 1:17 pm

Looks like this is what happened to me
https://www.scmagazineuk.com/hackers-hi ... le/1475201

I guess it was because I had the default asustor admin and pass set for myPHPAdmin
It was probably a botnet scanning through my exposed ports.
I should be more careful from now on.

Let this be a lesson to those reading this.
Protect your database and harden it:
https://draculaservers.com/tutorials/up ... phpmyadmin
https://www.ispsystem.com/news/please-r ... ing-attack

It was a mere coincidence that Asustor released an update to MariaDB just the same day that I got attacked.
I'll add an UPDATE to post no 1
krunchynug8
 
Posts: 12
Joined: Thu May 28, 2020 1:30 pm

Re: Official APP Central - MariaDB app security breach

Postby ilike2burnthing » Thu Jun 11, 2020 9:16 pm

Glad you found the issue. Hopefully nothing irreparable was lost and nothing sensitive was breached.
ilike2burnthing
 
Posts: 173
Joined: Thu Apr 09, 2020 8:01 pm

Next

Return to phpmyadmin

  • You cannot post new topics in this forum
    You cannot reply to topics in this forum
    You cannot edit your posts in this forum
    You cannot delete your posts in this forum
    You cannot post attachments in this forum
  • Who is online

    Users browsing this forum: No registered users and 1 guest

cron