I’m running Fedora 35, and have docker installed that provides an apache, php an mysql server locally. The docker related services are not accessible from the internet to the best of my knowledge. I also have the Fedora firewall enabled.
This morning I noticed the database in mysql provided by docker no longer existed. While docker is running mysql as virtual machine, the actual mysql raw data is stored on my machine, the host machine. Looking at the directory that held my docker mysql data, I can see a new database was created yesterday, named Z_README_TO_RESTORE. Looking inside the database it’s a ransomware attack asking for bitcoin. Also if you google the database name, you’ll see similar reports, but usually just on online web servers, no local docker reports.
I’ve ran chkrootkit and found nothing. I’ve also looked at the last logins and no one logged into my machine around the time these files were created.
Interestingly, the files are created by the systemd-timesync user. There is no way the systemd-timesync user should be creating or editing these files, the correct user is usern.
[usern@localhost workingdir]$ sudo ls -ls mysql/Z_README_TO_RECOVER/ total 112 4 -rw-rw----. 1 systemd-timesync input 65 May 31 13:08 db.opt 12 -rw-rw----. 1 systemd-timesync input 8560 May 31 13:08 RECOVER_YOUR_DATA.frm 96 -rw-rw----. 1 systemd-timesync input 98304 May 31 13:08 RECOVER_YOUR_DATA.ibd
I’ve looked for other files created around this time but can’t find anything obvious, mostly just packagekit and snap updates files, hundreds of them.
However, 3 related files were modified by the systemd_timesync user at the same time:
2510027 4 -rw-rw---- 1 systemd-timesync input 484 May 31 13:08 ./home/usern/workingdir/mysql/mysql/user.MYD 2510093 128 -rw-rw---- 1 systemd-timesync input 131072 May 31 13:08 ./home/usern/workingdir/mysql/mysql/innodb_table_stats.ibd 2510095 256 -rw-rw---- 1 systemd-timesync input 262144 May 31 13:08 ./home/usern/workingdir/mysql/mysql/innodb_index_stats.ibd
Interesting, I also have mysql installed on my host machine outside of docker… it wasn’t running at the time of the ransomware attack. The non docker mysql install puts the mysql data in a different folder, the default mysql folder, where as the docker mysql data directory is within a sub folder within specific user account. The non docker mysql data is all intact.
I’m not interested in getting my data back, but I am interested in finding the root cause so I can prevent it.