记 MySql 数据库被勒索病毒攻击

运维 mysql
发布时间 :
字数:1.1k 阅读 :
  1. 被勒索病毒攻击
  2. 解决过程
    1. 1. 第一时间修改密码
    2. 2. 确认数据恢复条件
    3. 3. 恢复方法
      1. 1. 查看binlog信息
      2. 2. 根据推断确认恢复内容
      3. 3. 恢复操作

被勒索病毒攻击

To recover your lost databases and avoid leaking it: visit http://o42xfh5kao7mrtesnok5jgdsfagjsgzxlxdlpkpd2x6lpckhzk225yad.onion and enter your unique token e620354e995a068f and pay the required amount of Bitcoin to get it back. Databases that we have: emerge, dev_oa, wcjd_admin, oa, stock. Your databases are downloaded and backed up on our servers. If we dont receive your payment in the next 9 Days, we will sell your database to the highest bidder or use them otherwise. To access this site you have use the tor browser https://www.torproject.org/projects/torbrowser.html

解决过程

1. 第一时间修改密码

  1. 修改服务器密码
  2. 修改数据库密码
  3. 修改数据库访问端口

2. 确认数据恢复条件

数据恢复需要具备两个条件:

  1. 有历史数据库备份文件;
  2. MySql服务开启了 binlog;
    若条件具备,才可进行数据恢复。

3. 恢复方法

1. 查看binlog信息

show variables like ‘%log_bin%’;

备份 binlog 文件,防止日志文件丢失,binlog 文件目录可能为:/usr/local/mysql/var,具体位置查询方式有两种:

  1. 查询 MySql 配置文件 my.cnf,查看 binlog 路径配置项
  2. 通过 sql 命令查询
# 查询当前主日志
show master status; 
# 查询日志名为 binlog.000002 的相关信息,其中含日志路径
show binlog events in 'binlog.000002';

日志文件备份后,查询日志,确认数据被删除时间。先使用 mysqlbinlog 命令导出指定时间之后的日志信息:

/usr/local/mysql/bin/mysqlbinlog --no-defaults --database=emerge --start-datetime="2021-04-16 17:46:14" /home/shumei/sqllog/mysql-bin.000089 > /home/shumei/sqllog/log89.sql

若不知道 mysqlbinlog 命令位置,可通过 find 命令查找:

find / -name mysqlbinlog

输入日志后,查看日志内容如下:

# at 3809968
#210416 17:46:19 server id 1  end_log_pos 3810094 	Query	thread_id=27527	exec_time=0	error_code=0
use `emerge`/*!*/;
SET TIMESTAMP=1618566379/*!*/;
SET @@session.sql_mode=0/*!*/;
CREATE TABLE whiteeyes (name VARCHAR(255), code VARCHAR(255))
/*!*/;
# at 3810094
#210416 17:46:19 server id 1  end_log_pos 3810207 	Query	thread_id=27527	exec_time=0	error_code=0
SET TIMESTAMP=1618566379/*!*/;
DROP TABLE `whiteeyes` /* generated by server */
/*!*/;
# at 3810207
#210416 17:48:59 server id 1  end_log_pos 3810294 	Query	thread_id=27529	exec_time=0	error_code=0
SET TIMESTAMP=1618566539/*!*/;
DROP DATABASE `emerge`
/*!*/;
# at 3810294
#210416 17:49:01 server id 1  end_log_pos 3810448 	Query	thread_id=27530	exec_time=0	error_code=0
SET TIMESTAMP=1618566541/*!*/;
SET @@session.sql_mode=524288/*!*/;
CREATE DATABASE IF NOT EXISTS `emerge` DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci
/*!*/;
# at 3810448
#210416 17:49:02 server id 1  end_log_pos 3810736 	Query	thread_id=27530	exec_time=0	error_code=0
use `emerge`/*!*/;
SET TIMESTAMP=1618566542/*!*/;
CREATE TABLE `WARNING`( `id` int(11) NOT NULL, `warning` text COLLATE utf8_unicode_ci, `website` text COLLATE utf8_unicode_ci, `token` text COLLATE utf8_unicode_ci) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci
/*!*/;
# at 3810736
#210416 17:49:03 server id 1  end_log_pos 3810806 	Query	thread_id=27530	exec_time=0	error_code=0
SET TIMESTAMP=1618566543/*!*/;
BEGIN
/*!*/;
# at 3810806
#210416 17:49:03 server id 1  end_log_pos 3811614 	Query	thread_id=27530	exec_time=0	error_code=0
SET TIMESTAMP=1618566543/*!*/;
INSERT INTO `WARNING` (`id`, `warning`, `website`, `token`) VALUES (1, 'To recover your lost databases and avoid leaking it: visit http://o42xfh5kao7mrtesnok5jgdsfagjsgzxlxdlpkpd2x6lpckhzk225yad.onion and enter your unique token e620354e995a068f and pay the required amount of Bitcoin to get it back. Databases that we have: emerge, dev_oa, wcjd_admin, oa, stock. Your databases are downloaded and backed up on our servers. If we dont receive your payment in the next 9 Days, we will sell your database to the highest bidder or use them otherwise. To access this site you have use the tor browser https://www.torproject.org/projects/torbrowser.html', 'http://o42xfh5kao7mrtesnok5jgdsfagjsgzxlxdlpkpd2x6lpckhzk225yad.onion', 'e620354e995a068f')

确定数据库被删除时间为:210416 17:48:59,并根据日志推断需要恢复数据的时间点。

2. 根据推断确认恢复内容

导出日志内容:

/usr/local/mysql/bin/mysqlbinlog --no-defaults --database=emerge --start-datetime="2020-10-13 11:15:52" /home/shumei/sqllog/mysql-bin.000086 > /home/shumei/sqllog/mysql_restore_86.sql
/usr/local/mysql/bin/mysqlbinlog --no-defaults --database=emerge --start-datetime="2020-10-13 11:15:52" /home/shumei/sqllog/mysql-bin.000087 > /home/shumei/sqllog/mysql_restore_87.sql
/usr/local/mysql/bin/mysqlbinlog --no-defaults --database=emerge /home/shumei/sqllog/mysql-bin.000088 > /home/shumei/sqllog/mysql_restore_88.sql
/usr/local/mysql/bin/mysqlbinlog --no-defaults --database=emerge --stop-datetime="2021-04-16 17:46:14" /home/shumei/sqllog/mysql-bin.000089 > /home/shumei/sqllog/mysql_restore_89.sql

start-datetime 为拥有的最新数据库备份时间;
stop-datetime 为数据库被攻击时间;
日志导出后进行查看、确认,确定没问题可进行下一步数据恢复。

3. 恢复操作

  1. 导入历史数据库备份。
  2. 通过 binlog 恢复备份时间至被攻击时间段内的数据。
/usr/local/mysql/bin/mysqlbinlog --no-defaults --database=emerge --start-datetime="2020-10-13 11:15:52" /home/shumei/sqllog/mysql-bin.000087 | mysql -u root -p********
/usr/local/mysql/bin/mysqlbinlog --no-defaults --database=emerge /home/shumei/sqllog/mysql-bin.000088 | mysql -u root -p********
/usr/local/mysql/bin/mysqlbinlog --no-defaults --database=emerge --stop-datetime="2021-04-16 17:46:14" /home/shumei/sqllog/mysql-bin.000089 | mysql -u root -p********
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以邮件至 ethan89@aliyun.com

©2016-2024 Ethan

Built with Hexo and 3-hexo theme

×

喜欢就点赞,疼爱就打赏