ATTACK VECTOR
Monthly hits via a globally DDoS attack. Resolved with Cloudflare.
Attacker can now somehow unmount network drive links and reset user permissions for applications.
Attack is resolved by simply by issuing these commands:
GRANT ALL PRIVILEGES ON application.* TO application_user;
FLUSH PRIVILEGES;
I also need to remount the remote drive using sshfs
SYSTEM DESCRIPTION
My system operates with 2 servers.
A server has MySQL, Memcache, Nginx, and a lot of static content.
B server has Apache, PHP5-FPM, and mounts the static drive from A to serve some shared content. This is for imaging purposes.
A server and B server only talk on ports 80 and 443 to Cloudflare because we have been DDoS'd before. As far as I know, their true IPs are unknown.
A server does NOT allow foreign connections on 3306 for ANY user.
All MySQL passwords are 32 characters long and include non-alphanumeric characters ($@_'")
The passwords of users DO NOT change and the attacker has NEVER been able to provide me evidence they can read the database.
A and B server do not accept SSH on port 22 and their passwords are 64 non-alphanumeric characters. I have never seen logs that show an unfamiliar connection was made.
Application-level users do not have the ability to access mysql.user and they cannot make changes to this table. An SQL injection is unlikely because the attacker does not drop tables.
Aucun commentaire:
Enregistrer un commentaire