Database nuked: mariopilot.heliohost.org

[mariopilot808]

Hello,

 

I have been rebuilding my website after a spambot attack required its deletion. I was almost there, but today, the MySQL database has just disappeared...

Database name is "mariopil_808" and the MySQL  databases cPanel reports it at 0 Bytes... this is a Joomla site.

 

Best Regards,

 

Mario N.

 

[wolstech]

We had this happen to a few others as well, one as recently as a few weeks ago. It's almost always either malware in your CMS or a compromised password, usually either due to human error (fell for phishing?) or a victim of an attack like AnonymousFox, which has been popping up again lately after being quiet for 3 years.

 

If you're unfamiliar with it, AnonymousFox attacks users by doing a "spray and pray" of symlinks for common configuration file names and locations, then viewing the contents. The attacker uses the files to get DB credentials. Traditionally the attacker would use those credentials to add a backdoor admin account to the CMS (this account was often called AnonymousFox and is where the attack's name comes from) then log in and abuse the CMS, typically by either defacing the site or using the CMS to set up phishing or send spam. That said, I've also seen times where they just randomly altered the contents of tables, emptied tables, or dropped them entirely as opposed to using the account for other illegal activity.

 

The fix is:

• Delete the Joomla install entirely.
• Change your cPanel password as well as the passwords of any database users you created.
• Rebuild the Joomla site in a different location (easiest is to just put it a subfolder, or if it's in one already, to rename the subfolder). If it was an AnonymousFox attack that hasn't been caught yet, putting it back in the same place will let the attacker easily grab the new database password to continue attacking you.

[mariopilot808]

Grunt...

 

The site was just rebuilt because of an AnonymousFox attack. Hence, new password was used, all the while using the latest CMS version. I do not think it was compromised from the start, as this time I installed Joomla through CPanel.

However, if you can just read the config files and extract credentials, Joomla security is a joke...

I did not even had time to run a a backup... how annoying!

[wolstech]

 

However, if you can just read the config files and extract credentials, Joomla security is a joke...

 

 

It's not being read through Joomla, in fact it's not being read through any code on your account. Every single PHP program in existence is vulnerable to it if they make enough effort. Joomla and WP are just the most frequently targeted due to popularity.

 

The attack script they use literally just guesses where the config files are, because its named the same in every single installation. They enumerate the usernames on the system, then just bulk create symlinks pointed to common locations on the accounts hoping one lands on a config file. If their script guesses correctly, they end up with a valid link. When you do things like put the install in a subfolder, their symlinks will miss the file.

[robertzo]

That is why I recommend using Publii or Mobilrise. There are no databases to hack and the CMS is on your local computer.

[Krydos]

We had this happen to a few others as well, one as recently as a few weeks ago.

The last database that disappeared was because the user had a key logger and they got his password. Might want to check your computers.