Author Topic: Database hacked  (Read 4492 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Database hacked
« on: March 30, 2020, 07:45:45 PM »
Dear all,
suddenly i have website down, when checked the errors, i found the whole database removed and replaced with a message to send a bitcoins to the hacker.
How this could be happen, how to track the logs to recognize when and how this happened.

Thanks

Re: Database hacked
« Reply #1 on: March 30, 2020, 10:13:26 PM »
Lemme guess, a Wordpress site?
If you had CSF, modsec and Wordfence configured, along with strong passwords then this shouldn't happen. If the computer that you normally access the site admin with, is compromised, then all bets are off.
I suggest you start with a fresh installation of the (virtual) server and restore the site(s) from backup.

Coincides with an email report that arrived this evening, for a site that I run:
Quote
March 29, 2020 11:38am    
45.12.32.174 (Russian Federation)
Blocked for ThemeGrill Demo Importer < 1.6.2 - Auth Bypass & Database Wipe in query string: do_reset_wordpress=1

March 28, 2020 6:48am    
37.59.51.181 (France)
Blocked for Slider Revolution: Local File Inclusion

March 28, 2020 2:59am    
188.166.16.17 (Netherlands)
Blocked for WAF-RULE-194

March 28, 2020 2:59am    
188.166.16.17 (Netherlands)
Blocked for TRX Addons >= 1.6.50 - Remote Code Execution
Makes a change to not see a USA hack attempt.  ::)

IF you have access to the official CSF GUI, then there's a useful "Check Server Security" option, that gives good advice. See post:
http://forum.centos-webpanel.com/index.php?topic=8576
« Last Edit: March 30, 2020, 10:42:11 PM by ejsolutions »