Hi,

Ever since just after 1am (BST) this morning, I have had data going from the
MySQL database on my computer to a kundenserver.de (212.227.29.25) server in
Germany. It is happening irregular intervals from every minute to 15
minutes or more. It is going in batches of around 230K from mysqld.exe. So
that is over 200Mb bytes sent since it started. I have received around
600K. I re-started the MySQL server around 6:30, but that didn't stop it.

The server is from Schlund+Partner AG, which is also 1&1. The server that
the data is going to does not appear to be in their 1&1's hosting range - or
not on the one that I have my test pages on.

Any ideas?

--
Iain

Iain wrote:
It looks as though someone has managed to hack into the database and is
running a series of queries to get all of the data out! It seems to be
quite systematic in the progression of the queries, from getting an initial
count() to linking using joins and progressively getting the data from the
detail tables across using joins with data from the headers.

I've stopped that access, and it looks as though I shall have to set up some
extra firewall rules to keep them out! I'll change the password as well,
but I wonder if that will stop them.

--
Iain

On 18/08/12 09:57, Iain wrote:
My first thought was unauthorized access and seems you got to the same
conclusion too.


You don't have a web interface which leaked the database credentials?

--

//Aho

Iain:

This appears very strange to me. Why would someone bother to construct
any queries with joins, when he is after your data? I would expect such
hacker to just get the table contents of everything. Period.

Are you sure these are not queries you have in any application on that
database, or particular prepared statements in your database that get
used heavily?

--
Erick

J.O. Aho wrote:
Yes, there is, in a php file, but that is not linked from anywhere - also on
a 1&1 server. If you cannot go below the root folder on the web server, how
would you normally go about concealing the login details?
--
Iain

Erick T. Barkhuis wrote:

I only have one stored query. Yes, I would have thought it easy just to do
simple SELECTs.
The queries coming in were:
SELECT * FROM ..._data WHERE nr<>9 ORDER BY id;
SELECT * FROM ..._data WHERE nr<>10 ORDER BY id;
SELECT * FROM ..._data WHERE nr<>11 ORDER BY id;
....
SELECT * FROM ..._data WHERE nml=1 AND nr<>9 ORDER BY id;
SELECT * FROM ..._data WHERE nml=1 AND nr<>10 ORDER BY id;
SELECT * FROM ..._data WHERE nml=1 AND nr<>11 ORDER BY id;
etc
then on to:
SELECT count(*) FROM AAA_texts join ..._books ON ..._texts.code =
...._books.code WHERE (name='XXX' OR abbrev='XXX' OR abbrev1='XXX');
SELECT count(*) FROM AAA_texts join ..._books ON ..._texts.code =
...._books.code WHERE (name='YYY' OR abbrev='YYY' OR abbrev1='YYY');
....
SELECT count(*) FROM BBB_texts join ..._books ON ..._texts.code =
...._books.code WHERE (name='XXX' OR abbrev='XXX' OR abbrev1='XXX');
SELECT count(*) FROM BBB_texts join ..._books ON ..._texts.code =
...._books.code WHERE (name='YYY' OR abbrev='YYY' OR abbrev1='YYY');
etc

So, quite organised and seemingly methodical. The queries that I use are
more complex to get more specific records, although the method used in the
join is similar to what I have used. But joining a code with code, or id
with id, is not particularly unusual.

--
Iain

On 18/08/12 12:19, Iain wrote:
I don't know much about 1&1, but they offer a decent Apache setup, then
you should have the possibility to set up .htaccess which requires
authentication to access files.

http://httpd.apache.org/docs/2.2/howto/auth.html

That could make things a bit more secure.

--

//Aho

Generally, it is a good idea to set up your firewall to prohibit
outside access to your database except from a *VERY* short list of
IP addresses.

Often, that list is a single host: localhost, in which case you
can have MySQL not listen on anything but a local UNIX-domain socket.

If you need to put your web server(s) and database server on different
servers (say, for capacity reasons) it's not a bad idea to use a
private address that can't be reached from outside, and perhaps a
separate network cable directly between them.

Among other things, these precautions mean that if your web server/PHP
leak database credentials (you didn't use the same password as for
something else, did you?), they can't be used from outside your
LAN. However, this is an area where you probably shouldn't depend
on only one layer of protection. To keep your pants from falling
down, use a belt, suspenders, a corset, glue the zipper shut,
staples, a nail gun, and some armed guards.

Although you shouldn't let them get to MySQL at all, MySQL can be
set up so that logins can only be used from one particular IP address
or a block.

Gordon Burditt wrote:
This is what I have now done - a global block except for three IP addresses.

Hopefully this will stop anyone else getting in now.


--
Iain

J.O. Aho wrote:
A useful reference for connection info - thanks.

--
Iain