This was installed from the official Asustor App Central.
I just updated the MariaDB app this morning and was greeted with this message.
Ransom demand to release my database in PHPMYAdmin. My databases were deleted.
I don't believe how blatantly this happened. <strike>How did they get access to the official Asustor App Central to inject this?</strike>
{-------------------UPDATE----------------------}
Looks like this is what happened to me
https://www.scmagazineuk.com/hackers-hi ... le/1475201
I guess it was because I had the default asustor admin and pass set for myPHPAdmin
It was probably a botnet scanning through my exposed ports.
I should be more careful from now on.
Let this be a lesson to those reading this.
Protect your database and harden it:
https://draculaservers.com/tutorials/up ... phpmyadmin
https://www.ispsystem.com/news/please-r ... ing-attack
It was a mere coincidence that Asustor released an update to MariaDB just the same day that I got attacked.
I believe the APP Central was not to blame for this.
If the admins decide to take this post down. By all means please do.
MariaDB/MySQL security breach - hijacked ransomware
-
- Posts: 12
- youtube meble na wymiar Warszawa
- Joined: Thu May 28, 2020 1:30 pm
MariaDB/MySQL security breach - hijacked ransomware
Last edited by krunchynug8 on Mon Jun 15, 2020 12:02 pm, edited 3 times in total.
-
- Posts: 12
- Joined: Thu May 28, 2020 1:30 pm
Re: Official APP Central - MariaDB app security breach
Link to the infected app uploaded online.
MariaDB v10.0.28.r28 uploaded 2020-06-10
https://send.firefox.com/download/820f4 ... QLfoT4q7iQ
MariaDB v10.0.28.r28 uploaded 2020-06-10
https://send.firefox.com/download/820f4 ... QLfoT4q7iQ
-
- Posts: 396
- Joined: Thu Apr 09, 2020 8:01 pm
Re: Official APP Central - MariaDB app security breach
What makes you think that the issue is on Asustor's end and not yours?
Your version is the same as available from Asustor, which clears VirusTotal and Hybrid Analysis scans (ignoring the broken MetaDefender results). That doesn't mean it's not malicious of course, just raises a lot of doubt.
Your version is the same as available from Asustor, which clears VirusTotal and Hybrid Analysis scans (ignoring the broken MetaDefender results). That doesn't mean it's not malicious of course, just raises a lot of doubt.
-
- Posts: 12
- Joined: Thu May 28, 2020 1:30 pm
Re: Official APP Central - MariaDB app security breach
For one I installed it from the official Asustor App Central.
Second it is also showing up on the oficial Asustor Website. the previous version was r21.
Third you can install it from your App Central and find out or you could check if r28 shows up in your App Central and report here.
Also I think it is a modified copy of the database and not a script or batch or virus that it will be detected in virus scans. It is way too simple to be detected as a virus.
How do you suggest the issue is on my end? Because I did not side load this app or upload it from an unofficial source.
My database was perfect before updating.
I am just trying to warn everyone so that no one else gets their databases destroyed.
Second it is also showing up on the oficial Asustor Website. the previous version was r21.
Third you can install it from your App Central and find out or you could check if r28 shows up in your App Central and report here.
Also I think it is a modified copy of the database and not a script or batch or virus that it will be detected in virus scans. It is way too simple to be detected as a virus.
How do you suggest the issue is on my end? Because I did not side load this app or upload it from an unofficial source.
My database was perfect before updating.
I am just trying to warn everyone so that no one else gets their databases destroyed.
Last edited by krunchynug8 on Thu Jun 11, 2020 10:38 am, edited 1 time in total.
- orion
- Posts: 3485
- Joined: Wed May 29, 2013 11:09 am
Re: Official APP Central - MariaDB app security breach
WOW!
You do not enable MariaDB remote access (same as me). Did you enable ADM access from internet? If yes, someone can guess your admin's password to hijack your NAS.
You do not enable MariaDB remote access (same as me). Did you enable ADM access from internet? If yes, someone can guess your admin's password to hijack your NAS.
-
- Posts: 12
- Joined: Thu May 28, 2020 1:30 pm
Re: Official APP Central - MariaDB app security breach
Yes my remote access is always switched off for MariaDB and yes remote ADM access is turned on.
I have regular root account turned off and use my custom username and have firewall setup to block access from all regions except Australia.
Just checked my connection logs nothing suspicious there.
Also can someone get me the previous APK r21 so that I can get MariaDB back up and running and remove this new infected app.
I have regular root account turned off and use my custom username and have firewall setup to block access from all regions except Australia.
Just checked my connection logs nothing suspicious there.
Also can someone get me the previous APK r21 so that I can get MariaDB back up and running and remove this new infected app.
-
- Posts: 396
- Joined: Thu Apr 09, 2020 8:01 pm
Re: Official APP Central - MariaDB app security breach
None of those facts preclude the chance that the issue is on your end though. Don't get me wrong, it could be that Asustor was hacked, or some disgruntled employee did it, I just kinda doubt it.
Previous version - http://appdownload.asustor.com/0010_999 ... x86-64.apk (this may get updated automatically though)
You can see all apps here - http://appdownload.asustor.com/
As Orion said, it could be that someone gained access to your NAS or account. Have you checked - https://haveibeenpwned.com/ ? Granted, that's not the only way for your details to end up in the hands of someone who means you harm.
It could also be due to an insecure network or NAS setup, though your last comment suggests not the latter, and the former is very unlikely.
Have you run a variety of malware scans on all local devices?
Previous version - http://appdownload.asustor.com/0010_999 ... x86-64.apk (this may get updated automatically though)
You can see all apps here - http://appdownload.asustor.com/
As Orion said, it could be that someone gained access to your NAS or account. Have you checked - https://haveibeenpwned.com/ ? Granted, that's not the only way for your details to end up in the hands of someone who means you harm.
It could also be due to an insecure network or NAS setup, though your last comment suggests not the latter, and the former is very unlikely.
Have you run a variety of malware scans on all local devices?
-
- Posts: 12
- Joined: Thu May 28, 2020 1:30 pm
Re: Official APP Central - MariaDB app security breach
You are right. It might be on my end. I am doing some following up on my end. Erased the ransom entry from my database.
Installed r28 and logged in that entry was not recreated.
I am running scans to see if I come up with anything.
Will keep you posted.
Thanks
Installed r28 and logged in that entry was not recreated.
I am running scans to see if I come up with anything.
Will keep you posted.
Thanks
-
- Posts: 12
- Joined: Thu May 28, 2020 1:30 pm
Re: Official APP Central - MariaDB app security breach
Looks like this is what happened to me
https://www.scmagazineuk.com/hackers-hi ... le/1475201
I guess it was because I had the default asustor admin and pass set for myPHPAdmin
It was probably a botnet scanning through my exposed ports.
I should be more careful from now on.
Let this be a lesson to those reading this.
Protect your database and harden it:
https://draculaservers.com/tutorials/up ... phpmyadmin
https://www.ispsystem.com/news/please-r ... ing-attack
It was a mere coincidence that Asustor released an update to MariaDB just the same day that I got attacked.
I'll add an UPDATE to post no 1
https://www.scmagazineuk.com/hackers-hi ... le/1475201
I guess it was because I had the default asustor admin and pass set for myPHPAdmin
It was probably a botnet scanning through my exposed ports.
I should be more careful from now on.
Let this be a lesson to those reading this.
Protect your database and harden it:
https://draculaservers.com/tutorials/up ... phpmyadmin
https://www.ispsystem.com/news/please-r ... ing-attack
It was a mere coincidence that Asustor released an update to MariaDB just the same day that I got attacked.
I'll add an UPDATE to post no 1
-
- Posts: 396
- Joined: Thu Apr 09, 2020 8:01 pm
Re: Official APP Central - MariaDB app security breach
Glad you found the issue. Hopefully nothing irreparable was lost and nothing sensitive was breached.