MySQL/MariaDB: like a Petya ransomware for MySQL and ‘root’@’%’ access

Arseny Zinchenko - Apr 3 '19 - - Dev Community

This story happened on 10/06/2017, adding this post in English now. The original post (Rus) was written almost right after the well-known Not a Petya attack in Ukraine – that’s why it’s used in the title.

I had a new project assigned to me. When I started its existing setup investigation – was just shocked.


A Data Science project, a bunch of MariaDB servers, each has from 10 to 150 databases.

During servers and their databases checking and by the way enabling the general log, suddenly I discovered that one server has no databases at all excluding one with a weird PLEASE_READ name:

MariaDB [(none)]> show databases;
| Database           |
| PLEASE_READ        |
| information_schema |
| mysql              |

This database has one table with even more weird name – WARNING:

MariaDB [(none)]> use PLEASE_READ;
Database changed
MariaDB [PLEASE_READ]> show tables;
| Tables_in_PLEASE_READ |
| WARNING               |

Well… Maybe there is some caution regarding this server/database from previous admins/devops/developers?

Read its content:

MariaDB [PLEASE_READ]> select * from WARNING;
| id | warning                                                                                                                                             | Bitcoin_Address                    | Email                   |
|  1 | Send 0.5 BTC to this address and go to this site http://es7ocnlet5vyulh5.onion/ to recover your database! SQL dump will be available after payment! | 14UhC8s4hUUCmwT31RqVbDB7dgoBxT4oXg | |

On the email box “” I googled the next post:

But that was only the very beginning of the whole history!

On the next investigation found that:

  1. MySQL root was without password
  2. root has access from anywhere, i.e. 'root'@'%'
  3. every AWS EC2 instance with MariaDB server has external IPs
  4. a single AWS Security Groups used by all those instances has two Allow rules to ports 22 and 3306 from the network…
MariaDB [mysql]> select host,password from user where user = 'root';
| host                        | password  |
| localhost                   |           |
|         |           |
|                   |           |
| %                           |           |

And access from anywhere on the Internet:

$ mysql -u root -h 52.***.***.37
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 55560
MariaDB [(none)]>

Once again:

As a result – on 4 from 11 DB servers all databases were wiped out.

On other servers – root has access only from localhost – and this saved their databases.

On one of the servers I saw the connection attempt before I disabled network access at all for all those instances:

43293 Connect   Access denied for user 'root'@'' (using password: NO)

China, although this doesn’t give anything:

irt:            IRT-CYHADCL-CN
address:        UNIT 04,7/F,BRIGHT WAY TOWER,NO. 33 MONG KOK ROAD,KOWLOON, hong kong hong kong
admin-c:        KHNT2-AP
tech-c:         KHNT2-AP
auth:           # Filtered
mnt-by:         MAINT-CYHADCL-CN

“It was a good day today” (c)

Similar posts

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player