针对此次安全事件的一个溯源追踪
提醒各位一句:
破坏计算机判刑极严,切勿以身试法:
刑法第二百八十六条:违反国家规定,对计算机信息系统功能进行删除、修改、增加、干扰,造成计算机信息系统不能正常运行,
后果严重的,处五年以下有期徒刑或者拘役;后果特别严重的,处五年以上有期徒刑。
下面通过一个溯源的视觉去分析这些攻击的具体流程
一、分析需要的潜在条件
1.1 phpmyadmin 访问日志(/www/wwwlogs/access.log)
1.2 数据库二进制日志(/www/server/data/bin-log-00001)
那么通过两样东西可以溯源出攻击者到底是怎么样的对你的数据库进行了增删查改
本文例子来自某位客户。已经向公安机关报警处理。
二、分析过程
被删除的数据库:qf1999 qf1998 qf1997 qf1996 qf1995 qf1994
附件: access_log (phpmyadmin 日志) Mysql-bin.tar.gz (mysql 二进制日志)
审计数据库日志+网站日志
首先需要把二进制日志解密
- /www/server/mysql/bin/mysqlbinlog --start-datetime='2020-08-10 00:00:00' --stop-datetime='2020-08-24 16:01:01' mysql-bin.000015 >1.txt
复制代码
首先是还原出sql 语句。然后进行搜索 DROP
把最前面的时间,解成可以认识的时间
这里已经找到了时间了2020-08-23 20:36:57
然后再日志里面找到相应的URL 即可
通过上面的已经可以看出来了。
他首先是获取到了数据库名。然后通过POST /pma/server_databases.php 进行删除数据库
具体的日志如下:
- 116.162.2.123 - - [23/Aug/2020:20:36:58 +0800] "POST /pma/server_databases.php HTTP/1.1" 200 1659
复制代码 那么看看他具体的做了什么
- Line 4546: 116.162.2.123 - - [23/Aug/2020:20:21:58 +0800] "GET /pma HTTP/1.1" 301 301
- Line 4609: 116.162.2.123 - - [23/Aug/2020:20:22:01 +0800] "POST /pma/ajax.php HTTP/1.1" 200 1636
- Line 4625: 116.162.2.123 - - [23/Aug/2020:20:22:02 +0800] "POST /pma/ajax.php HTTP/1.1" 200 153
- Line 4635: 116.162.2.123 - - [23/Aug/2020:20:22:04 +0800] "GET /pma/server_databases.php?lang=zh_CN&ajax_request=true&ajax_page_request=true&_nocache=1598185617151301742&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6974
- Line 4647: 116.162.2.123 - - [23/Aug/2020:20:22:16 +0800] "GET /pma/db_structure.php?db=qf529261876&ajax_request=true&ajax_page_request=true&_nocache=1598185629063355548&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9625
- Line 4653: 116.162.2.123 - - [23/Aug/2020:20:22:17 +0800] "GET /pma/navigation.php?ajax_request=1&lang=zh_CN&aPath=cm9vdA%3D%3D.cWY1MjkyNjE4NzY%3D&vPath=cm9vdA%3D%3D.cWY1MjkyNjE4NzY%3D&pos=0&pos2_name=&pos2_value=&searchClause=&searchClause2=&_nocache=1598185629999987513&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2654
- Line 4671: 116.162.2.123 - - [23/Aug/2020:20:22:21 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_shequ&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185633976880332&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 811
- Line 4680: 116.162.2.123 - - [23/Aug/2020:20:22:22 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=1598185634811871850&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1599
- Line 4687: 116.162.2.123 - - [23/Aug/2020:20:22:50 +0800] "GET /pma/db_structure.php?db=qf529261876&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185662820268041&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9627
- Line 4688: 116.162.2.123 - - [23/Aug/2020:20:22:51 +0800] "GET /pma/server_databases.php?db=&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185663730361942&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
- Line 4690: 116.162.2.123 - - [23/Aug/2020:20:22:53 +0800] "GET /pma/db_structure.php?db=qf1099&ajax_request=true&ajax_page_request=true&_nocache=1598185666016804661&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 48338
- Line 4691: 116.162.2.123 - - [23/Aug/2020:20:22:55 +0800] "GET /pma/navigation.php?ajax_request=1&lang=zh_CN&aPath=cm9vdA%3D%3D.cWYxMDk5&vPath=cm9vdA%3D%3D.cWYxMDk5&pos=0&pos2_name=&pos2_value=&searchClause=&searchClause2=&_nocache=159818566748120702&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 3938
- Line 4692: 116.162.2.123 - - [23/Aug/2020:20:22:57 +0800] "GET /pma/server_databases.php?db=&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185669412527903&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
- Line 4693: 116.162.2.123 - - [23/Aug/2020:20:22:59 +0800] "GET /pma/db_structure.php?db=qf1095&ajax_request=true&ajax_page_request=true&_nocache=1598185671730124437&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 5678
- Line 4695: 116.162.2.123 - - [23/Aug/2020:20:23:00 +0800] "GET /pma/navigation.php?ajax_request=1&lang=zh_CN&aPath=cm9vdA%3D%3D.cWYxMDk1&vPath=cm9vdA%3D%3D.cWYxMDk1&pos=0&pos2_name=&pos2_value=&searchClause=&searchClause2=&_nocache=1598185672482192049&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2011
- Line 4698: 116.162.2.123 - - [23/Aug/2020:20:23:01 +0800] "GET /pma/server_databases.php?db=&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185673774234926&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
- Line 4699: 116.162.2.123 - - [23/Aug/2020:20:23:03 +0800] "GET /pma/db_structure.php?db=qf1094&ajax_request=true&ajax_page_request=true&_nocache=1598185675585584773&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2976
- Line 4700: 116.162.2.123 - - [23/Aug/2020:20:23:04 +0800] "GET /pma/navigation.php?ajax_request=1&lang=zh_CN&aPath=cm9vdA%3D%3D.cWYxMDk0&vPath=cm9vdA%3D%3D.cWYxMDk0&pos=0&pos2_name=&pos2_value=&searchClause=&searchClause2=&_nocache=1598185676327705919&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1567
- Line 4703: 116.162.2.123 - - [23/Aug/2020:20:23:05 +0800] "GET /pma/server_databases.php?db=&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185677244119316&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
- Line 4705: 116.162.2.123 - - [23/Aug/2020:20:23:06 +0800] "GET /pma/db_structure.php?db=mysql&ajax_request=true&ajax_page_request=true&_nocache=1598185678588405905&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9954
- Line 4707: 116.162.2.123 - - [23/Aug/2020:20:23:07 +0800] "GET /pma/navigation.php?ajax_request=1&lang=zh_CN&aPath=cm9vdA%3D%3D.bXlzcWw%3D&vPath=cm9vdA%3D%3D.bXlzcWw%3D&pos=0&pos2_name=&pos2_value=&searchClause=&searchClause2=&_nocache=1598185679532866268&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2712
- Line 4708: 116.162.2.123 - - [23/Aug/2020:20:23:07 +0800] "GET /pma/server_databases.php?db=&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=159818568012651082&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
- Line 4710: 116.162.2.123 - - [23/Aug/2020:20:23:09 +0800] "GET /pma/db_structure.php?db=qf529261876&ajax_request=true&ajax_page_request=true&_nocache=1598185682005653639&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9627
- Line 4711: 116.162.2.123 - - [23/Aug/2020:20:23:12 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_shequ&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185685005808308&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 8116
- Line 4712: 116.162.2.123 - - [23/Aug/2020:20:23:13 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=159818568577118163&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1599
- Line 4713: 116.162.2.123 - - [23/Aug/2020:20:23:15 +0800] "GET /pma/db_structure.php?db=qf529261876&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185687616103033&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9627
- Line 4727: 116.162.2.123 - - [23/Aug/2020:20:24:18 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_tools&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185750294732339&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 14900
- Line 4728: 116.162.2.123 - - [23/Aug/2020:20:24:19 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=1598185751466596245&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1611
- Line 4729: 116.162.2.123 - - [23/Aug/2020:20:24:20 +0800] "GET /pma/db_structure.php?db=qf529261876&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185752537108547&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9630
- Line 4730: 116.162.2.123 - - [23/Aug/2020:20:24:23 +0800] "GET /pma/db_structure.php?db=qf529261876&pos=0&sort=table&sort_order=DESC&ajax_request=true&ajax_page_request=true&_nocache=1598185755277636777&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9581
- Line 4731: 116.162.2.123 - - [23/Aug/2020:20:24:28 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_workorder&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185760250246588&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 7184
- Line 4732: 116.162.2.123 - - [23/Aug/2020:20:24:29 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=1598185761243827878&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1625
- Line 4733: 116.162.2.123 - - [23/Aug/2020:20:24:29 +0800] "GET /pma/db_structure.php?db=qf529261876&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185762119176774&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9630
- Line 4736: 116.162.2.123 - - [23/Aug/2020:20:24:45 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_workorder&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185777752964155&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 7185
- Line 4738: 116.162.2.123 - - [23/Aug/2020:20:24:46 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=1598185778545677432&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1625
- Line 4739: 116.162.2.123 - - [23/Aug/2020:20:24:47 +0800] "GET /pma/db_structure.php?db=qf529261876&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185779616618888&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9630
- Line 4742: 116.162.2.123 - - [23/Aug/2020:20:24:54 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_config&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185786412900480&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 10867
- Line 4743: 116.162.2.123 - - [23/Aug/2020:20:24:55 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=1598185787487583076&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1634
- Line 5162: 116.162.2.123 - - [23/Aug/2020:20:36:47 +0800] "GET /pma/ HTTP/1.1" 200 14370
- Line 5163: 116.162.2.123 - - [23/Aug/2020:20:36:48 +0800] "GET /pma/themes/pmahomme/css/theme.css?v=5.0.2&nocache=6367662178ltr&server=1 HTTP/1.1" 200 20259
- Line 5164: 116.162.2.123 - - [23/Aug/2020:20:36:48 +0800] "GET /pma/js/whitelist.php?v=5.0.2 HTTP/1.1" 200 478
- Line 5165: 116.162.2.123 - - [23/Aug/2020:20:36:48 +0800] "GET /pma/js/messages.php?l=zh_CN&v=5.0.2 HTTP/1.1" 200 9709
- Line 5166: 116.162.2.123 - - [23/Aug/2020:20:36:49 +0800] "POST /pma/navigation.php?ajax_request=1 HTTP/1.1" 200 2517
- Line 5167: 116.162.2.123 - - [23/Aug/2020:20:36:49 +0800] "POST /pma/ajax.php HTTP/1.1" 200 1641
- Line 5168: 116.162.2.123 - - [23/Aug/2020:20:36:50 +0800] "POST /pma/version_check.php HTTP/1.1" 200 64
- Line 5169: 116.162.2.123 - - [23/Aug/2020:20:36:50 +0800] "POST /pma/ajax.php HTTP/1.1" 200 1535
- Line 5170: 116.162.2.123 - - [23/Aug/2020:20:36:52 +0800] "GET /pma/server_databases.php?ajax_request=true&ajax_page_request=true&_nocache=1598186503817237237&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
- Line 5172: 116.162.2.123 - - [23/Aug/2020:20:36:57 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-bg_highlight-soft_75_cccccc_1x100.png HTTP/1.1" 200 122
- Line 5173: 116.162.2.123 - - [23/Aug/2020:20:36:57 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-bg_glass_75_e6e6e6_1x400.png HTTP/1.1" 200 121
- Line 5174: 116.162.2.123 - - [23/Aug/2020:20:36:57 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-icons_888888_256x240.png HTTP/1.1" 200 3765
- Line 5175: 116.162.2.123 - - [23/Aug/2020:20:36:57 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-icons_222222_256x240.png HTTP/1.1" 200 3765
- Line 5176: 116.162.2.123 - - [23/Aug/2020:20:36:57 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-bg_glass_75_dadada_1x400.png HTTP/1.1" 200 126
- Line 5177: 116.162.2.123 - - [23/Aug/2020:20:36:58 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-bg_glass_65_ffffff_1x400.png HTTP/1.1" 200 73
- Line 5178: 116.162.2.123 - - [23/Aug/2020:20:36:58 +0800] "POST /pma/server_databases.php HTTP/1.1" 200 1659
复制代码
进去之后就一直再翻看数据库的信息。表信息。之类的。然后再
2020-08-23 20:36:58 116.162.2.123 IP 进行了删除数据库操作
进行对IP 116.162.2.123 追查
开始时间 到结束时间 2020-08-23 20:21:58-->2020-08-23 20:36:59 最开始进来的时间2020-08-23 20:21:58
这里应该是一个家庭地址
123.180.43.141 删除数据库 - Line 5246: 123.180.43.141 - - [23/Aug/2020:20:38:40 +0800] "POST /pma/server_databases.php HTTP/1.1" 200 2022
复制代码
数据库具体
对IP:123.180.43.141 进行追踪 开始时间 到结束时间 2020-08-23 20:35:01-->2020-08-23 20:39:14 最开始进来的时间2020-08-23 20:35:01
也是一个家庭宽带地址。
223.91.116.45 非法对数据库进行建立数据库操作 开始时间和结束时间 2020-08-23 19:23:05 ---> 2020-08-23 20:41:31 最开始的时间
退出之后的时间
进行了非法建立数据操作
解开URL - 223.91.116.45 - - [23/Aug/2020:20:40:39 0800] "GET /pma/tbl_structure.php?server=1&db=九神牛逼 QQ2356241&token=407d413d6e4b6443472959642658596a&goto=db_structure.php&table=牛你麻痹&ajax_request=true&ajax_page_request=true&_nocache=1598186728165247385&token=407d413d6e4b6443472959642658596a HTTP/1.0" 200 7146
复制代码在数据库体现为
58.215.120.65 进行脱裤
开始时间和结束时间 2020-08-23 19:28:59 ---> 2020-08-23 19:56:48
一共是大概是十多个非法IP进行了非法操作如下:
- 60.10.139.242 --->建立数据库
- 116.198.15.2 --->扫描
- 122.96.47.112 -->建立数据库
- 183.7.83.200 -->建立数据库
- 60.10.139.242 -->建立数据库
- 123.180.43.141 -->建立数据库
- 223.91.116.45 -->建立数据库
- 223.116.223.11 -->操控数据库
- 183.197.10.124 -->操控数据库
- 58.215.120.65 -->脱裤
- 223.91.116.45 -->操作数据库操作
- 116.162.2.123 删除数据库
复制代码
最后总结一句: 破坏计算机判刑极严,切勿以身试法:
刑法第二百八十六条:违反国家规定,对计算机信息系统功能进行删除、修改、增加、干扰,造成计算机信息系统不能正常运行,
后果严重的,处五年以下有期徒刑或者拘役;后果特别严重的,处五年以上有期徒刑。
此次事件的客户需要协助报警的请联系QQ: 1249648969
网络不是法外之地。
|