Shulou(Shulou.com)06/02 Report--

In view of what the blackmail virus early warning in MySQL database is, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Recently, we are convinced that the security team tracked down the extortion attacks against the MySQL database in China, and the attacks monitored so far are mainly reflected in the tampering and theft of the database. Here, we are convinced that the security team reminds the majority of users to pay attention to precautions (especially database administrators), protect core data assets and prevent being caught. At present, there are cases of recruitment among large enterprises and ordinary users in China.

The blackmail attack is quite different from that in the past, showing that it does not encrypt any files at the operating system level, but directly logs in to the MySQL database and performs encryption actions in the database application. The main encryption behaviors are: traversing all the tables in the database, encrypting all the fields of each record, each table will be appended with the _ encrypt suffix, and the corresponding table will create the corresponding blackmail information. For example, if the original table is named xx_yy_zz, the encrypted table will be named xx_yy_zz_encrypt, and the corresponding blackmail information tables xx_yy_zz_warning,_encrypt and _ warning will appear in pairs.

The encrypted table _ encrypt is business data, and _ warning is new. We are convinced that the security team selects one of the new extortion information and opens it to find the following information:

You can see that in the newly added table, the hacker left the message field for extortion information, the btc field for the hacker's Bitcoin wallet address, and the site field for the hacker to reserve the dark net information website. The picture below is the dark net reserved web page, which shows that this is a page to remind the successful user to pay the ransom.

Enter the MySQL application on the Linux server and read the extortion information as follows:

In the database storage directory, show that the relevant storage files are indeed encrypted:

Encryption process

Convinced security experts found that after getting the password of the MySQL account, the hacker logged into the MySQL database, executed the SQL statement, and encrypted the table. The hacker's attack method is relatively novel, using the AES encryption function included with MySQL to encrypt the data in the database. The encryption steps are shown in the following figure (take the original table g***ra as an example):

This attack is more extensive than other MySQL attacks. In China, in addition to a number of large enterprises, there are also recent recruitment in the MySQL database built by ordinary users. Once again, I would like to remind you that no matter how big the business is, take good security precautions.

Solution

1. Globally close port 3306 or port 3306 on the network border firewall is only open to specific IP

2. Open MySQL login audit log and close unused high-risk ports as far as possible.

3. It is recommended that the fortress machine be installed in front of the MySQL database server to ensure security, and audit and control login behavior.

4. Each server sets a unique password, and the complexity requires a combination of uppercase and lowercase letters, numbers and special symbols, and the number of passwords is long enough (15 digits or more than two combinations).

5. Up to now, the password of the MySQL account exposed to the public network has been stolen by infected users, which reminds database administrators not to sacrifice data security for the convenience of operation and maintenance.

Supplementary note:

Cases in which MySQL databases have been encrypted have been found on Linux servers and Windows servers. For Windows users, it is recommended to use the Shinsei free killing tool.

The answer to the question about the blackmail virus warning against the MySQL database is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.