20
Shardj
5y

We just got into a malicious bots database with root access.

So guard duty gave us some warnings for our tableau server, after investigating we found an ip that was spamming us trying all sorts. After trying some stuff we managed to access their MySQL database, root root logged us in. Anyway the database we just broke into seems to have schemas for not only the bot but also a few Chinese gambling websites. There are lots of payment details on here.

Big question, who do we report this to, and what's the best way to do so anonymously? I'm assuming the malicious bot has just hyjacked the server for these gambling sites so we won't touch those but dropping the schema the bot is using is also viable. However it has a list of other ips, trying those we found more compromised servers which we could also log in to with root root.

This is kinda ongoing, writing this as my coworker is digging through this more.

Comments
  • 12
    I wouldn't report it because I'd be sure that then they would go primarily after me. Trust level in the judicial system: 0.0
  • 0
    Hope you followed some basic op-sec rules, otherwise reporting it could fall back to you.

    If you do report it, try to do it to the hosting provider, as the most one do not allow hosting illegal bit nets or gambling sites, also the owners of the hacked server (or their providers) usually likely like to be informed.
  • 0
    @sbiewald no, checking access logs would easily find the company ip. Probably best we leave it alone
  • 2
    @Shardj let it be. Leave it alone for a few weeks, then from a VPN destroy everything, including the access logs. You have root access, so it's totally possible. It's not worth having anything come back to you for disclosing since you're identifiable, but with a VPN you have plausible deniability. Hell, give one of the members at devrant you trust the credentials and have them destroy it for you if you'd like. I can totally give them to the infosec president at my company who I have good relations with. He'd have a field day.
  • 4
    @Shardj If you follow @Techno-Wizard 's recommendation, be sure you access the "evil server" it over Tor then, and be sure to not accidentally sending SSH public keys of your machines.
  • 0
    Tableau uses PostgreSQL not MySQL.
    I’m suspicious.
  • 2
    @bkwilliams we didn't break into our own database...
  • 0
    @Nanos I really don't think a botnet needs reporting to mi5, not sure how you'd even go about doing something like that.

    You're right that the botnet likely wouldn't suffer too much if you wiped one server, it could always re-infect.
  • 0
    +1 for Tableau
  • 0
    @Nanos thanks
  • 0
    @Shardj even so, it takes a lot of time to reconfigure the server and backups might not be a thing if they're clumsy enough for you to get root access without even trying
Add Comment