Recurring Database Record Deletions Despite Restores – Need Troubleshooting Help - Enhance Control Panel

Recurring Database Record Deletions Despite Restores – Need Troubleshooting Help

microvax

We are experiencing an issue with a website where it appears that records from the database have been deleted. We restored a backup yesterday, but the records were deleted again today.

Previously, this site was hosted on a VPS managed with RunCloud, where I installed MariaDB's audit plugin at some point.

Has anyone experienced a similar situation or have suggestions on how to identify the cause and prevent this from happening again?

Any guidance would be appreciated.

cPFence

microvax

You’ll need to share a bit more info, what records are being deleted, what plugins are running, etc.

Also make sure to review the WordPress admin accounts and remove anything suspicious. That’s a common oversight: even if the site itself is clean, an old compromised admin account can bypass all protections and keep deleting data.

gozen

Your site is probably hacked, you need to do a thorough search and see if you can find any malicious code, change passwords, etc.

microvax

The web application I’m referring to isn’t built with WordPress but with CodeIgniter, and something I recently discovered is that they had the env file without the leading dot, so the database connection passwords were visible there. That said, is there a way to check the Apache logs for this website?

opsshield

microvax " is there a way to check the Apache logs for this website?" - The access logs are rotated quite frequently in Enhnace, so checking the raw access logs history is not possible by default. So you have to create some custom scripts to store the logs before they rotate and refer them when the incident happens again.

JohnB

You should post the plugin list here in addition to what others said about checking if site has been hacked and reviewing logs.

What's being deleted from the database? Users?

microvax

@JohnB #p26394, as I mentioned earlier, the web application is a custom build with CodeIgniter, not WordPress.

gozen

That doesn't mean it can not be hacked.
I find it more possible than SQL Server or any other tool related to the Control Panel when it comes to deleting random records from the DB.

Adam

Even if the database credentials were exposed, they would not be useful unless you had allowed a wildcard access host % against the same mysql user in your hosting control panel.

If it's happening frequently enough that it's effectively reproducible and if it's on a server with few/no other websites, you could consider enabling the general log in mariadb and logging every sql query for a period of time. This does have a performance impact and will obviously consume a lot of disk space.

https://mariadb.com/docs/server/server-management/server-monitoring-logs/general-query-log

I'd be surprised if the Apache error log were helpful but the logs are available in /var/local/enhance/webserver_logs/{websiteId}.log where {website_id} is the ID of the website. These generally last until the stats processor runs (roughly every 5 minutes). If you would like them for longer, start a screen session with:

tail --follow=name /var/local/enhance/webserver_logs/{websiteId}.log >> ~/my_website.log

This will pipe all logs into a file in your home dir for later analysis.

twest

Have you checked the CI error logs? I use CI extensively and never had this problem, my guess would be there's something wrong in the app itself.