Analysis on the reasons of Ctrip database security event

About Ctrip database events on the Internet, there are various statements, database data and backup data is physically deleted, there is said that the business code of each node is deleted, there is also said to be wrong operation, resulting in the business is not available.

Ctrip Official inthe explanation given early in the day is:5Month inDay1: -by Ctrip technology to verify that the incident was caused by the wrong operation of the staff. Because Ctrip involves a wide range of businesses, applications and services, it takes a long time to verify that the functionality between the application and the service is working properly. Ctrip official website andAPPis in -Day23:29fully restored to normal. Ctrip apologises again for the inconvenience caused to users.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6D/CC/wKioL1VsIzOzLAk_AAEU3RoEFKg339.jpg "title=" 1.jpg " alt= "Wkiol1vsizozlak_aaeu3roefkg339.jpg"/>

Despite the controversial, as a professional database security manufacturer Anwarking, for the underlying causes of the incident analysis, Anwarking security consultants have their own perceptions and views.

Judging by time, the morning 11:09 There was a problem at night the recovery, so long to recover data, it is likely that the database has a problem.

Ctrip is using the MySQL database, through MySQL Its own replication has made a high-availability mechanism, if it is because of the accidental deletion of a directory file, can be directly restored through the backup device. Then in the deletion or modification of a piece of data, the condition error caused the overall data deletion and then because of the correlation problem, the backup server inside the data is also deleted, so that data recovery is very difficult. We can even imagine that Ctrip does not even have internal audit equipment, if there is a database of audit equipment database all the actions can be traced back.  

If the attack comes from outside, it will probably be divided into three situations.

First, in accordance with Ctrip's previously reported cross-site scripting vulnerability, the hacker will use a counter-injection method, put the code in the background, in the future when called, may cause damage to the background.

Second, the debug mode is opened on the application server, and the transaction card number and information are saved. If not done by insiders, it means that hackers have captured this information on their application servers, then there may be hackers who have planted backdoor programs on their application servers. If you plant a backdoor, you can connect directly to the backend server. But the odds are small, and it should have been done after a similar problem with Ctrip last year.

the third complex APT attack, operators in the network when logging in, through the way to go fishing, download the hacker's application, if at work and then access the intranet will have indirect attacks.

The Internet industry pay attention to rapid strain, so many internet companies have taken the same as Ctrip to develop operations integration strategy, although to some extent, reduce the development and response time, but there are a lot of management problems.  

Through this incident, An Huaqin and senior security consultants recommended that the vast number of users, not only the Internet domain, the enterprise organizations first proposed from the management system to standardize, the development of operational integration model needs to change first. Development, operation and maintenance have their own working environment. Development work should be done more by testing the system than by directly contacting the production system. ”

Some internet companies operation and maintenance equipment, development equipment, connected to the external network of equipment are all available, although to a certain extent, the rapid response, but often the problem arises here.

Operation of the alarm is also essential. After the addition of a number of control equipment similar to the fortress machine, when the operation on the server, the operator will not be directly connected to the database. Finally, the database firewall is installed to prevent hackers and internal personnel from dangerous operations.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1657235

Analysis on the reasons of Ctrip database security event