0

I'm running Ubuntu with plesk. After noticing some suspicious data i started logging all queries. A few hours later... Looks like someone created a database and attempted to insert a new user into mysql.user table.

Since then I've created new passwords for Plesk and updated Plesk. I noticed in Plesk update notes that they fixed a security issue. Maybe that was how someone got in?

I hope I'm just being paranoid

750 Connect admin@localhost on 
750 Query   SELECT VERSION()
          748 Query select `name`,`version` from Components
          750 Query create database `BUG115166_19826690404F97A4DB6CCAB` /*!40101 default charset=utf8 */
          750 Query create database `bug115166_19826690404f97a4db6ccab` /*!40101 default charset=utf8 */
          750 Query insert into mysql.user (Host, User, Password) values ('%', 'bug115166_29609', password('BUG115166_19826690404F97A4DB6CCAB'))
          750 Query FLUSH PRIVILEGES
          750 Query GRANT ALL ON `BUG115166_19826690404F97A4DB6CCAB`.* to 'bug115166_29609'
          751 Connect   bug115166_29609@localhost on 
          751 Query USE `BUG115166_19826690404F97A4DB6CCAB`
          751 Query USE `bug115166_19826690404f97a4db6ccab`
          751 Init DB   Access denied for user 'bug115166_29609'@'%' to database 'bug115166_19826690404f97a4db6ccab'
          750 Query REVOKE ALL ON `BUG115166_19826690404F97A4DB6CCAB`.* FROM 'bug115166_29609'
          750 Query DELETE FROM mysql.user WHERE User='bug115166_29609'
          750 Query FLUSH PRIVILEGES
          750 Query drop database if exists `bug115166_19826690404f97a4db6ccab`
          750 Query drop database if exists `bug115166_19826690404f97a4db6ccab`
          750 Query drop database if exists `BUG115166_19826690404F97A4DB6CCAB`
          750 Query drop database if exists `BUG115166_19826690404F97A4DB6CCAB`
          751 Quit  
          750 Query show databases like 'd21193485464f97a4db6c8a9'
          750 Query create database `d21193485464f97a4db6c8a9` /*!40101 default charset=utf8 */
          750 Query drop database if exists `d21193485464f97a4db6c8a9`
          750 Query drop database if exists `d21193485464f97a4db6c8a9`

1 Answers1

2

See also Weird MySQL Users Been Created (eg. bug115166_10073) and not by me .

In Googling a bit, it looks like this is a relatively common occurrence on Plesk. Given how common it is, I almost wonder whether this is some sort of internal Plesk process that periodically checks for a bug of some type (thus the naming of the user, and the fact that it's connecting from localhost). However, I can find no evidence to support this, so it might be a false lead.

Regardless, you absolutely want to lock this down. Given that you have a timestamp, look through your access logs for that timestamp to try to identify whether there are any corresponding requests. The real issue is not these GRANTs; it's the fact that there is the ability to run a SQL command at all. Find the source of that vulnerability and you'll have closed the hole that actually matters.

BMDan
  • 7,249
  • 2
  • 23
  • 34