Mysql database constantly getting hacked on Ubuntu Linux

Experts I need help!!!

I have configured a digitalocian ubunto droplet for mysql and Apache

I changed mysql default port to 8086

I removed all users and added my own user with unguessable name and ultra strong password

I have enabled mysql remote access to only one origin specific IP

Firewall is also configured accordingly

droplet is accessed with only public keys

Then after all this few months later…

My database got hacked

All databases was gone and there was a database with name on it

PLEASE_READ_ME_XMG

In this database there was a table nammed warning

With one row saying to get your data recovered send us 0.08 BTC at some hash code

Now I did not understand how the heck he got into my database when there was nothing to access it like some forms on internet saying wordpress issue laravel issue etc

But I none of it running even I don’t have PHP or any kind of web related language installed on server I just have Apache server for serving static files like CDN

this isn’t happening first time

This is 5th time

i do have latest backup which i took just 5 minutes ago this happend but i want to know how he got into my database and deleted everything

This happend before as well and i checked the source code and it was not tempered thanks to git

this time exactly happend same but database was in different server but this time i added extra security by allowing database access to only one ip

still i got hacked so just want to know how he got into my database so please share any possible security thing i might have missed thanks

How do you connect to your mysql server at port 8086? Are you using mysql client? By default communication between mysql server and client is not encrypted.

I am using nodejs in other server and I connect through it

Two issues:

A) Connection between nodejs and mysql is not secure. Are you using TLS/SSL certificates for communications?
B) Your app is not secure and that is how they are getting access to mysql. It can be done via sql injection in nodejs and other method. You need to install webapp firewall (or use reverse proxy such as Cloudflare) to protect app and write secure app. Please read the following about writing and securing nodejs apps:

Yes i am using ssl certificates plus i have proper validations in node app

also i am using cloudflare as well

I have no idea from where he got into the server

also database is in different isolated server in which there is only apache installed for static files sharing like cdn

no programming language or web language is installed like php nodejs etc

it have only apache and Mariadb


Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki