My MySQL server got hacked yesterday by an unknown hacker, and this is what I get:

[root@ns1 mysql]# ls

0WN3D
ib_logfile1
mysql
innodb.status.1034
mysql.sock
innodb.status.1039
ns1.myserver.com.err
ib_arch_log_0000000000
innodb.status.15102
ns1.server.com.pid
ibdata1
localhost.localdomain.err
test
ib_logfile0
localhost.localdomain.pid
unknown.sagonet.net.err

[root@ns1 mysql]#


I get this "0WN3D" database created, and I'm not sure which other files not suppose to be there:angry: . My MySQL server would not start anymore. What can I do? I want to hunt this hacker down somehow. Please help me out. Thank you.

concentrate on cleaning yourself up first. what errors do you get when you start mysql?

the 0wn3d file looks like the only "offfensive" file.

The other files look fairly standard.

HOWEVER, remove the related user/access permissions from the main mysql database and change the root password for mysql (and the system too if the password is the same, lets hope not, thats bad practice)

Good Luck

What Mysql ver do u use?

i have MySQL version 4.0.20. I've just uninstalled the Client and the Server, and deleted the mysql folder with ALL files in the "/var/lib/mysql" already. I'm going to install a fresh MySQL soon. Anything else I should do first?

Hire a company specializing in compromise recovery to make sure nothing else was touched.. you can never be too safe.

Call me paranoid, but when a server is compromised - not matter how small, its time to reinstall.

Of course, if you think something is under control you could schedule a later date to rebuild - but considering all the methods of hiding processes/files etc... you never can be sure you have cleaned up completely.

Then again, maybe I should take off my tin foil hat ;)

If you have direct access to the server, usually, the first thing most admins do is unplug the server from the network the. If you have servers on the same network, you do not want to jeopardize those ones either. the wonders of protocol anaylzers.

If you do not have physical access or you cannot have your clients websites go down at all for long periods. Dont panic. Dont do stupid things to alert the hacker, especially if youre a noobie admin. Always keep in mind, that most hackers leave backdoors. If the hacker is connected and see that you are investigating....chances are that you will end up with a a pretty screwed up server. Right now he has the upper hand.

What is very common with mysql databases being hacked is when your port 3306 is open remotely for everyone to connect, (its a no brainer to brute force into) or either sites with PHP that connect to DB have been exploited, or one of your sites has a readable configuration file which shows access to a db. So you should ask yourself if your are running an exploited version of PHP..... or even running safe mode off.

*your main priority is to make sure your clients dont go down.
if you have backup of the server when it was not compromised, Congrats.

A reinstall of mysql just wont cut it......to be honest.

1. check /tmp for oddities

2. check your logs. in /var/log
Check if you have any logs with 0 bytes and shouldnt be. Look inside the logs for blank spaces. Its pretty darn easy to spot something odd.
Logs are are best friend, although some trojans specifically remove sections of logs of the hackers actions.

3. check your /etc/shadow file and look for unauthorized additions to that file.

4. run chkrootkit

5. if you have tripwire installed previously, youre in luck.

5b. investigate if your /bin /sbin have been compromised.
chances they have been.

5b. make sure the samba daemon isnt running.

6. look into /root/.bash_history and look for blank spaces and investigate there. Most script kiddies forget to clean up this.
(and yes ive seen some pretty dumb hackers before)

7. If you do not have a an unhacked backup of your websites then do a dump of of the httpd and mysql.

then connected to another server and restore it there. Always investigate the stuff you move.


The list goes on and on. yawn.

...the rest...is pretty straight forward. The last step is to reformat your server completely.


On your own workstation...make sure it is not compromised either and does not contain some spyware which record key strokes and uses smtp to send out stuff.

There many many things to look for. If you already found this message confusing. Then you definately need to hire a security expert.


-----------------------------------------------------------------------------
theres one very nice giveway when someone is in your server seeking for root.....when you su to root, and you know you have 100% typed in the correct password, but you get "wrong password" and asked you to retype it...... you're hacked and you have just given your root to the hacker.

Originally posted by Cephren
A reinstall of mysql just wont cut it......to be honest.


So true. Just thought I would clearify that, in my previoius post, by "reinstall" and "rebuild" i meant "of the server" not "of mysql". The post above had some good suggestions in it, I suggest you read though it carefully.

Also, CERT has established this guideline with dealing with intrusions:

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Its pretty general, but gives you some idea of established guidelines and ideas for future incedents.

Regards,