RDS MySQL instance of AWS got hacked and this is what I did :)
I was working with a client where he needs a web application for his users. As we know with AWS running instances is pretty easy and I love using AWS. Its running fine for 6 months and suddenly one day I got a call saying the application was not working. I didnt understood whats going wrong as I have not touched the code from past 4 months.
Step 1 — First I checked my aws console and everything is running fine
Step 2 — Checked whether my frontend deployment has any issues and it was also running fine
Step 3 — Checked my logs in backend and then got the errors saying
Table.users doesn’t exist
Table.clients doesn’t exits
I just got shocked by seeing them and I have connected to my rds instance and I got stunned by seeing what just happened. Have a look at what just happened from below images :)
All my tables were erased and he added a warning table which shows the below data
He asked me for some bitcoins which values nearly 40k INR which is not at all recommended as we would be encouraging them if we pay.
Best part of AWS RDS instance is its auto backup. So I got my data back :)
So next I deleted my RDS instance and created a new one after taking a backup of my old data.
Then I have realised my mistakes:
Mistake 1: Used the default admin as username, password as password for my instance(Its a pretty silly mistake but don’t shout at me as I dont even know that hacking is this simple for them). Now I deleted the default admin and created a new user with the same rights and added a strong password :)
Mistake 2: My security groups were pointing to global (* — It means anyone over the world can connect to my instance, so I restricted it to my laptop and the aws ec2 instance)
Mistake 3: My ec2 instance was also accessible by global so I made it accessible only for my local system and frontend instance
Precautions I took: Added some packages for my backend node server which may stop some attacks.
For ex:
- Added XSS package to stop XSS attacks
- Removed default mysql connection username password from my code and fetched them using env variables, so that if someone can get access of my code they cant connect to my db
With my experience this is what I did and if someone have better ideas to secure the data you can just comment below :), Suggestions are always accepted
