5.7.26-29-57-log Percona XtraDB Cluster now tables can not be read

Ubuntu did a few updates recently one of them was

Server version: 5.7.26-29-57-log Percona XtraDB Cluster (GPL), Release rel29, Revision 03540a3, WSREP version 31.37, wsrep_31.37

Now nothing seems to be able to access the DB , seems to be user rights issue but

SHOW GRANTS FOR root@localhost;
±--------------------------------------------------------------------+
| Grants for root@localhost |
±--------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON . TO ‘root’@‘localhost’ WITH GRANT OPTION |
| GRANT PROXY ON ‘’@’’ TO ‘root’@‘localhost’ WITH GRANT OPTION |
±--------------------------------------------------------------------+
2 rows in set (0.00 sec)

Trying to do a backup

aio@aio:~$ mysqldump -u root -p --lock-for-backup --all-databases > full-backup-$(date +%F).sql
Enter password:
mysqldump: Couldn’t execute 'SHOW FIELDS FROM episode_view': View ‘video116.episode_view’ references invalid table(s) or column(s) or function(s) or definer/invoker of view lack rights to use them (1356)

Website

Fatal error: Uncaught Exception: Error: Table ‘opencartGTAGF.oc_session’ doesn’t exist
Error No: 1146
SELECT data FROM oc_session WHERE session_id = ‘72c913db630cbd07783a2649bd’ AND expire > 1568448394 in /var/www/html/system/library/db/mysqli.php:40 Stack trace: #0 /var/www/html/system/library/db.php(45): DB\MySQLi->query(‘SELECT data F…’) #1 /var/www/html/system/library/session/db.php(21): DB->query(‘SELECT data F…’) #2 /var/www/html/system/library/session.php(72): Session\DB->read(‘72c913db630cbd0…’) #3 /var/www/html/system/framework.php(106): Session->start(‘72c913db630cbd0…’) #4 /var/www/html/system/startup.php(104): require_once(’/var/www/html/s…’) #5 /var/www/html/index.php(19): start(‘catalog’) #6 {main} thrown in /var/www/html/system/library/db/mysqli.php on line 40

Fatal error: Uncaught Exception: Error: Table ‘opencartGTAGF.oc_session’ doesn’t exist
Error No: 1146
REPLACE INTO oc_session SET session_id = ‘72c913db630cbd07783a2649bd’, data = ‘[]’, expire = ‘2019-09-14 09:06:34’ in /var/www/html/system/library/db/mysqli.php:40 Stack trace: #0 /var/www/html/system/library/db.php(45): DB\MySQLi->query(‘REPLACE INTO o...') #1 /var/www/html/system/library/session/db.php(32): DB->query('REPLACE INTO o…’) #2 /var/www/html/system/library/session.php(81): Session\DB->write(‘72c913db630cbd0…’, Array) #3 [internal function]: Session->close() #4 {main} thrown in /var/www/html/system/library/db/mysqli.php on line 40

having a look at the tables I see a lot of extensions with _WARNING and _encrypt ,
I have not yet reloaded a old backup to see if these used to be their or not yet but pretty sure they never existed

mysql_upgrade -u root -p
Enter password:
Checking if update is needed.
Checking server version.
Running queries to upgrade MySQL server.
Checking system database.
mysql.columns_priv OK
mysql.db OK
mysql.engine_cost OK
mysql.event OK
mysql.func OK
mysql.general_log OK
mysql.gtid_executed OK
mysql.help_category OK
mysql.help_keyword OK
mysql.help_relation OK
mysql.help_topic OK
mysql.innodb_index_stats OK
mysql.innodb_table_stats OK
mysql.ndb_binlog_index OK
mysql.plugin OK
mysql.proc OK
mysql.procs_priv OK
mysql.proxies_priv OK
mysql.server_cost OK
mysql.servers OK
mysql.slave_master_info OK
mysql.slave_relay_log_info OK
mysql.slave_worker_info OK
mysql.slow_log OK
mysql.tables_priv OK
mysql.time_zone OK
mysql.time_zone_leap_second OK
mysql.time_zone_name OK
mysql.time_zone_transition OK
mysql.time_zone_transition_type OK
mysql.user OK
The sys schema is already up to date (version 1.5.1).
Checking databases.
sys.sys_config OK

opencartGTAGF.oc_session_WARNING OK
opencartGTAGF.oc_session_encrypt OK

test.oc_weight_class_description_encrypt OK
test.oc_weight_class_encrypt OK
test.oc_zone_WARNING OK
test.oc_zone_encrypt OK
test.oc_zone_to_geo_zone
Warning : Percona-XtraDB-Cluster doesn’t recommend use of ADMIN command on a table (test.oc_zone_to_geo_zone) that resides in non-transactional storage engine with pxc_strict_mode = PERMISSIVE
status : OK
Upgrade process completed successfully.
Could not create the upgrade info file ‘/var/lib/mysql/mysql_upgrade_info’ in the MySQL Servers datadir, errno: 13

ok so it looks like something tried encrypting everything ? I restored from a old backup but how can I recover all the new data since last backup ?

oc_address_encrypt.frm oc_dqc_setting_encrypt.ibd oc_product_description.MYD
oc_address_encrypt.ibd oc_dqc_setting.frm oc_product_description.MYI
oc_address.frm oc_dqc_setting.MYD oc_product_description_WARNING.frm
oc_address.MYD oc_dqc_setting.MYI oc_product_description_WARNING.ibd
oc_address.MYI oc_dqc_setting_WARNING.frm oc_product_discount.frm
oc_address_WARNING.frm oc_dqc_setting_WARNING.ibd oc_product_discount.MYD
oc_address_WARNING.ibd oc_dqc_statistic_encrypt.frm oc_product_discount.MYI
oc_api_encrypt.frm oc_dqc_statistic_encrypt.ibd oc_product_filter_encrypt.frm
oc_api_encrypt.ibd oc_dqc_statistic.frm oc_product_filter_encrypt.ibd
oc_api.frm oc_dqc_statistic.MYD oc_product_filter.frm

Sigh looks like I was hacked , well I can stop trying to chase my tail now

LOCK TABLES oc_address_WARNING WRITE;
/!40000 ALTER TABLE oc_address_WARNING DISABLE KEYS /;
INSERT INTO oc_address_WARNING VALUES (1,‘Your oc_address table has been encrypted. For decription you need to pay 0.060000 bitcoin to the address 1nW82ZSkhT5Xzs8Gc9vWaMtDm3FAqhJXC\nAfter payment you should go to the http://bp7hhvchre5ifqd6.onion/order/1nW82ZSkhT5Xzs8Gc9vWaMtDm3FAqhJXC using tor client and get your unique secret key.\nAfter receiving the key, you must execute mysql request: UPDATE oc_address SET field = AES_DECRYPT(field, ‘YOUR-SECRET-KEY’);\n\nIf you want, you can check how this works on this table. Field “secretProof” is encrypted with a simple key, execute the request:\nUPDATE oc_address_WARNING SET secretProof = AES_DECRYPT(secretProof, ‘keyForProof’);\n\nAttention. This key does not work for your master data. Do not use it, otherwise you may permanently damage the data. To get the key you need, contact us.Field tableStruct contains the original names and type of your table. The key for decoding is the same as key for prof: keyForProof’,‘1nW82ZSkhT5Xzs8Gc9vWaMtDm3FAqhJXC’,‘http://bp7hhvchre5ifqd6.onion/order/1nW82ZSkhT5Xzs8Gc9vWaMtDm3FAqhJXC’,_binary '\Z\Ï\Âb\0OòGD\ç!\ZŠ¯av€:rfqI5\ÄɃû$z‘Ÿ.€˜ev·n\á
š\ÈJ Pð6N³Œ Fó\ÛU"\áž0C–\Çd\Æ{+$«\ëX1Ž[9<#¿,‹VG·>Ž\Ï(L\r\Æ\ï„]±]‹y\ßRÔŒ\à\Þs\Ý{ðú\Ö\â³\ÂW\Ê\ì&S®’K\ÆV1žuÀ\×\ÞX\ÒEñmŸ|’,binary 'K›¶.²O³ŽqÞ®c‚Ñž ŠþVӁs†\ïIª\Ã[\Ètgœýq2ý°Â¿D\Ьšß’€ÿÿ{z•\Ï+\à8ö#w6$ºgHzrv»ñ\î‹úû‰ðš¢\Úù3ŸZ\Ô÷šQW·\Ø[\ÞDž°œ…\Ø0£H±g>\ZðJY\Õl{\ÚBð\rږbmw •‰o_ڔ¹CÁŽI’·²PTˆAJ\7\Ð)Š\Zðž Q’\Û\Ù" +œ&u\ä±ùõ†\0Eh¶-\Ä÷¢\ØT—Ÿ¯\Í_\ÄP\0VŠÒ‡h;Q†ˆ\ÎZŠaye‘D[M’\05!‹‹0ž\Ú\ÆM?ˉŸþZ¶ý¯\r«\é…\ê\ÝB2÷¹’€/ö‘haVŒ\î{©’ó
a\Ç\äa\Ò\ÈLB%„g£ÍˆÁ²ýƒg¡œ°ý\ÜN®ýËœZR^h\ï\Å\Ò*\ï\Ø_\à‡<ú\èº\îp>n\Ã\ÇÁ\Ò\ß\í\Ö@ý+’);
/*!40000 ALTER TABLE oc_address_WARNING ENABLE KEYS */;
UNLOCK TABLES;