So, i don’t know why, no ssh breaking attempt, but memsql database wiped out
but since it’s only demo project, i don’t create a backup script and data lost is not a problem.
PLEASE_READ_ME_VVV database in the memsql localhost cluster, and there’s
WARNING table contains:
| id | warning | Bitcoin_Address | Email | | 1 | To recover your lost Database send 0.03 Bitcoin (BTC) to our Bitcoin address 1756fmLS26s7yNBFeaqfbgXoRcieuA9xox and contact us by Email with your Server IP or Domai n name and a Proof of Payment. Your Database is downloaded and backed up on our servers. Backups that we have right now: cluster, memsql. Any email without your server IP Address or Domain Name and a Proof of Payment together will be ignored. If we dont receive your payment in the next 10 Days, we will delete your backup. | 1756fmLS26s7yNBF eaqfbgXoRcieuA9xox | firstname.lastname@example.org |
The question is, I used cluster in a box configuration, but
netstat shown that the memsql server still listen in all address (which probably causes the hack)
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 831/memsqld tcp 0 0 0.0.0.0:3307 0.0.0.0:* LISTEN 829/memsqld
from the log, there’s bunch of bruteforce attempt from various ip addresses:
3232702503326 2019-08-22 16:48:21.533 ERROR: ProcessHandshakeResponsePacket() failed. Sending back 1045: Access denied for user 'root'@'184.108.40.206' (using password: YES )
from the full log, it shown that the attacker managed to guess memsql default password (which i don’t know what it is…) then drop the database (no queries that looks it backing up the database first).
how to make memsql listen only in localhost? and why cluster-in-a-box doesn’t listen to localhost only by default?