Tuesday, June 20, 2006

hacked

nice.

serversniff has a bunch of security-holes, and we are watching closely what people are doing here - and really, someone noticed that it was quite easy to get a glimpse of the mysql-log-database.

the evil hacker might have been a scriptkid, for he obviously got acces to the mysql-db, used an unkown (at least to major search-engines) mysql-exploit-script trying to create files on the system. the mysql-db died on the way to his goal.

the attacker created (and then deleted or emptied) several tables in the db mysql:

"SNOWHILL"
"db" - nice - contains all passwords from table "user" in cleartext!
"dat" - used to execute commands on the host
"fm" - contains php-code to upload files and execute commands
local - slightly different from "dat"
sploitdb - slightly different from "dat"
wip3r - slightly different from "dat"

It seems, that the guy used at least 4 slightly different exploits targeting to the same problem.

Better luck next time.

tom

2 comments:

Anonymous said...

Hello.

I was wondering if you could help me out by providing info on how were able to secure your database. I think I may be suffering from the same problem.

My email address is aethermanas-at-contralux-dot-com.

Thankyou.

thomas said...

there are three main reasons for mysql-dbs to get hacked:

1) a mysql-user root without any password
use mysqladmin to delete the user "test" and and set a password for the mysql-user root that cannot be easily guessed
2) a unsecured phpmyadmin-installation
if you are using an insecured and easy to find webadmin-tool, think about password-protecting this stuff
3) an insecure webapplication using mysql
this is a bit too difficult to explain in three sentences.

but chances are, that you fell pray to 1) or 2)

tom