MySQL Forums
Forum List  »  Newbie

Re: Need Help - Server was hacked
Posted by: Rick James
Date: March 15, 2009 11:42AM

Partial answers...

There is no log of who logged in or when, unless they came through a web server (eg Apache) which keeps an "access" log.

You can get into mysql by restarting it with --skip-grant-tables, and perhaps --skip-networking (look them up).

Immediately clamp down access. Look thru the mysql.user table to see which logins have no password, etc. DELETE rows that you cannot identify, but be sure to leave yourself a way back in.

Something like this is a good starting point:

GRANT ALL ON *.* TO root@localhost IDENTIFIED BY '...' WITH GRANT OPTION;
This gives you a way in, but only from the same machine -- Use it for maintenance only, not for application access!

GRANT USAGE ON *.* TO root@'%' IDENTIFIED BY '...';
This accepts access by from everywhere, but does not allow access to any tables. (I'm not sure if the helps -- anyone else know??)

GRANT SELECT ON dbname.* TO app1_ro@'...' IDENTIFIED BY '...';
GRANT ALL ON dbname.* TO app1_rw@'...' IDENTIFIED BY '...';
These give a readonly and a readwrite login for one application. Fill in the ... with localhost if you only need to get to it from there, else use IP addresses of the client from which app1 will be logging in. (Use multiple GRANTs if you have multiple clients.)

There are multiple reasons for splitting readonly and readwrite --
* Helps protect the application from its own mistakes.
* If app1_ro's password is cracked (but not _rw), no 'damage' can be done.

Options: ReplyQuote


Subject
Written By
Posted
Re: Need Help - Server was hacked
March 15, 2009 11:42AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.