针对此次安全事件的一个溯源追踪

针对此次安全事件的一个溯源追踪  


提醒各位一句:

破坏计算机判刑极严，切勿以身试法：

刑法第二百八十六条：违反国家规定，对计算机信息系统功能进行删除、修改、增加、干扰，造成计算机信息系统不能正常运行，
后果严重的，处五年以下有期徒刑或者拘役；后果特别严重的，处五年以上有期徒刑。

下面通过一个溯源的视觉去分析这些攻击的具体流程

一、分析需要的潜在条件
1.1  phpmyadmin 访问日志(/www/wwwlogs/access.log)
1.2 数据库二进制日志(/www/server/data/bin-log-00001)


那么通过两样东西可以溯源出攻击者到底是怎么样的对你的数据库进行了增删查改
本文例子来自某位客户。已经向公安机关报警处理。


二、分析过程

被删除的数据库：qf1999  qf1998 qf1997 qf1996 qf1995 qf1994

附件:

access_log    (phpmyadmin 日志)

Mysql-bin.tar.gz  (mysql 二进制日志)

审计数据库日志+网站日志

首先需要把二进制日志解密

1. /www/server/mysql/bin/mysqlbinlog  --start-datetime='2020-08-10 00:00:00' --stop-datetime='2020-08-24 16:01:01'   mysql-bin.000015 >1.txt
   

复制代码

首先是还原出sql 语句。然后进行搜索 DROP

把最前面的时间，解成可以认识的时间

这里已经找到了时间了2020-08-23 20:36:57
然后再日志里面找到相应的URL 即可


通过上面的已经可以看出来了。

他首先是获取到了数据库名。然后通过POST  /pma/server_databases.php  进行删除数据库

具体的日志如下：

1. 116.162.2.123 - - [23/Aug/2020:20:36:58 +0800] "POST /pma/server_databases.php HTTP/1.1" 200 1659

复制代码

那么看看他具体的做了什么

1. Line 4546: 116.162.2.123 - - [23/Aug/2020:20:21:58 +0800] "GET /pma HTTP/1.1" 301 301
   
2.         Line 4609: 116.162.2.123 - - [23/Aug/2020:20:22:01 +0800] "POST /pma/ajax.php HTTP/1.1" 200 1636
   
3.         Line 4625: 116.162.2.123 - - [23/Aug/2020:20:22:02 +0800] "POST /pma/ajax.php HTTP/1.1" 200 153
   
4.         Line 4635: 116.162.2.123 - - [23/Aug/2020:20:22:04 +0800] "GET /pma/server_databases.php?lang=zh_CN&ajax_request=true&ajax_page_request=true&_nocache=1598185617151301742&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6974
   
5.         Line 4647: 116.162.2.123 - - [23/Aug/2020:20:22:16 +0800] "GET /pma/db_structure.php?db=qf529261876&ajax_request=true&ajax_page_request=true&_nocache=1598185629063355548&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9625
   
6.         Line 4653: 116.162.2.123 - - [23/Aug/2020:20:22:17 +0800] "GET /pma/navigation.php?ajax_request=1&lang=zh_CN&aPath=cm9vdA%3D%3D.cWY1MjkyNjE4NzY%3D&vPath=cm9vdA%3D%3D.cWY1MjkyNjE4NzY%3D&pos=0&pos2_name=&pos2_value=&searchClause=&searchClause2=&_nocache=1598185629999987513&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2654
   
7.         Line 4671: 116.162.2.123 - - [23/Aug/2020:20:22:21 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_shequ&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185633976880332&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 811
   
8.         Line 4680: 116.162.2.123 - - [23/Aug/2020:20:22:22 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=1598185634811871850&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1599
   
9.         Line 4687: 116.162.2.123 - - [23/Aug/2020:20:22:50 +0800] "GET /pma/db_structure.php?db=qf529261876&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185662820268041&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9627
   
10.         Line 4688: 116.162.2.123 - - [23/Aug/2020:20:22:51 +0800] "GET /pma/server_databases.php?db=&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185663730361942&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
    
11.         Line 4690: 116.162.2.123 - - [23/Aug/2020:20:22:53 +0800] "GET /pma/db_structure.php?db=qf1099&ajax_request=true&ajax_page_request=true&_nocache=1598185666016804661&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 48338
    
12.         Line 4691: 116.162.2.123 - - [23/Aug/2020:20:22:55 +0800] "GET /pma/navigation.php?ajax_request=1&lang=zh_CN&aPath=cm9vdA%3D%3D.cWYxMDk5&vPath=cm9vdA%3D%3D.cWYxMDk5&pos=0&pos2_name=&pos2_value=&searchClause=&searchClause2=&_nocache=159818566748120702&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 3938
    
13.         Line 4692: 116.162.2.123 - - [23/Aug/2020:20:22:57 +0800] "GET /pma/server_databases.php?db=&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185669412527903&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
    
14.         Line 4693: 116.162.2.123 - - [23/Aug/2020:20:22:59 +0800] "GET /pma/db_structure.php?db=qf1095&ajax_request=true&ajax_page_request=true&_nocache=1598185671730124437&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 5678
    
15.         Line 4695: 116.162.2.123 - - [23/Aug/2020:20:23:00 +0800] "GET /pma/navigation.php?ajax_request=1&lang=zh_CN&aPath=cm9vdA%3D%3D.cWYxMDk1&vPath=cm9vdA%3D%3D.cWYxMDk1&pos=0&pos2_name=&pos2_value=&searchClause=&searchClause2=&_nocache=1598185672482192049&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2011
    
16.         Line 4698: 116.162.2.123 - - [23/Aug/2020:20:23:01 +0800] "GET /pma/server_databases.php?db=&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185673774234926&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
    
17.         Line 4699: 116.162.2.123 - - [23/Aug/2020:20:23:03 +0800] "GET /pma/db_structure.php?db=qf1094&ajax_request=true&ajax_page_request=true&_nocache=1598185675585584773&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2976
    
18.         Line 4700: 116.162.2.123 - - [23/Aug/2020:20:23:04 +0800] "GET /pma/navigation.php?ajax_request=1&lang=zh_CN&aPath=cm9vdA%3D%3D.cWYxMDk0&vPath=cm9vdA%3D%3D.cWYxMDk0&pos=0&pos2_name=&pos2_value=&searchClause=&searchClause2=&_nocache=1598185676327705919&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1567
    
19.         Line 4703: 116.162.2.123 - - [23/Aug/2020:20:23:05 +0800] "GET /pma/server_databases.php?db=&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185677244119316&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
    
20.         Line 4705: 116.162.2.123 - - [23/Aug/2020:20:23:06 +0800] "GET /pma/db_structure.php?db=mysql&ajax_request=true&ajax_page_request=true&_nocache=1598185678588405905&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9954
    
21.         Line 4707: 116.162.2.123 - - [23/Aug/2020:20:23:07 +0800] "GET /pma/navigation.php?ajax_request=1&lang=zh_CN&aPath=cm9vdA%3D%3D.bXlzcWw%3D&vPath=cm9vdA%3D%3D.bXlzcWw%3D&pos=0&pos2_name=&pos2_value=&searchClause=&searchClause2=&_nocache=1598185679532866268&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2712
    
22.         Line 4708: 116.162.2.123 - - [23/Aug/2020:20:23:07 +0800] "GET /pma/server_databases.php?db=&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=159818568012651082&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
    
23.         Line 4710: 116.162.2.123 - - [23/Aug/2020:20:23:09 +0800] "GET /pma/db_structure.php?db=qf529261876&ajax_request=true&ajax_page_request=true&_nocache=1598185682005653639&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9627
    
24.         Line 4711: 116.162.2.123 - - [23/Aug/2020:20:23:12 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_shequ&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185685005808308&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 8116
    
25.         Line 4712: 116.162.2.123 - - [23/Aug/2020:20:23:13 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=159818568577118163&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1599
    
26.         Line 4713: 116.162.2.123 - - [23/Aug/2020:20:23:15 +0800] "GET /pma/db_structure.php?db=qf529261876&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185687616103033&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9627
    
27.         Line 4727: 116.162.2.123 - - [23/Aug/2020:20:24:18 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_tools&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185750294732339&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 14900
    
28.         Line 4728: 116.162.2.123 - - [23/Aug/2020:20:24:19 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=1598185751466596245&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1611
    
29.         Line 4729: 116.162.2.123 - - [23/Aug/2020:20:24:20 +0800] "GET /pma/db_structure.php?db=qf529261876&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185752537108547&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9630
    
30.         Line 4730: 116.162.2.123 - - [23/Aug/2020:20:24:23 +0800] "GET /pma/db_structure.php?db=qf529261876&pos=0&sort=table&sort_order=DESC&ajax_request=true&ajax_page_request=true&_nocache=1598185755277636777&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9581
    
31.         Line 4731: 116.162.2.123 - - [23/Aug/2020:20:24:28 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_workorder&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185760250246588&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 7184
    
32.         Line 4732: 116.162.2.123 - - [23/Aug/2020:20:24:29 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=1598185761243827878&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1625
    
33.         Line 4733: 116.162.2.123 - - [23/Aug/2020:20:24:29 +0800] "GET /pma/db_structure.php?db=qf529261876&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185762119176774&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9630
    
34.         Line 4736: 116.162.2.123 - - [23/Aug/2020:20:24:45 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_workorder&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185777752964155&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 7185
    
35.         Line 4738: 116.162.2.123 - - [23/Aug/2020:20:24:46 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=1598185778545677432&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1625
    
36.         Line 4739: 116.162.2.123 - - [23/Aug/2020:20:24:47 +0800] "GET /pma/db_structure.php?db=qf529261876&table=&server=1&target=&ajax_request=true&ajax_page_request=true&_nocache=1598185779616618888&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9630
    
37.         Line 4742: 116.162.2.123 - - [23/Aug/2020:20:24:54 +0800] "GET /pma/sql.php?db=qf529261876&table=shua_config&pos=0&ajax_request=true&ajax_page_request=true&_nocache=1598185786412900480&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 10867
    
38.         Line 4743: 116.162.2.123 - - [23/Aug/2020:20:24:55 +0800] "GET /pma/index.php?ajax_request=1&recent_table=1&no_debug=true&_nocache=1598185787487583076&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1634
    
39.         Line 5162: 116.162.2.123 - - [23/Aug/2020:20:36:47 +0800] "GET /pma/ HTTP/1.1" 200 14370
    
40.         Line 5163: 116.162.2.123 - - [23/Aug/2020:20:36:48 +0800] "GET /pma/themes/pmahomme/css/theme.css?v=5.0.2&nocache=6367662178ltr&server=1 HTTP/1.1" 200 20259
    
41.         Line 5164: 116.162.2.123 - - [23/Aug/2020:20:36:48 +0800] "GET /pma/js/whitelist.php?v=5.0.2 HTTP/1.1" 200 478
    
42.         Line 5165: 116.162.2.123 - - [23/Aug/2020:20:36:48 +0800] "GET /pma/js/messages.php?l=zh_CN&v=5.0.2 HTTP/1.1" 200 9709
    
43.         Line 5166: 116.162.2.123 - - [23/Aug/2020:20:36:49 +0800] "POST /pma/navigation.php?ajax_request=1 HTTP/1.1" 200 2517
    
44.         Line 5167: 116.162.2.123 - - [23/Aug/2020:20:36:49 +0800] "POST /pma/ajax.php HTTP/1.1" 200 1641
    
45.         Line 5168: 116.162.2.123 - - [23/Aug/2020:20:36:50 +0800] "POST /pma/version_check.php HTTP/1.1" 200 64
    
46.         Line 5169: 116.162.2.123 - - [23/Aug/2020:20:36:50 +0800] "POST /pma/ajax.php HTTP/1.1" 200 1535
    
47.         Line 5170: 116.162.2.123 - - [23/Aug/2020:20:36:52 +0800] "GET /pma/server_databases.php?ajax_request=true&ajax_page_request=true&_nocache=1598186503817237237&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
    
48.         Line 5172: 116.162.2.123 - - [23/Aug/2020:20:36:57 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-bg_highlight-soft_75_cccccc_1x100.png HTTP/1.1" 200 122
    
49.         Line 5173: 116.162.2.123 - - [23/Aug/2020:20:36:57 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-bg_glass_75_e6e6e6_1x400.png HTTP/1.1" 200 121
    
50.         Line 5174: 116.162.2.123 - - [23/Aug/2020:20:36:57 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-icons_888888_256x240.png HTTP/1.1" 200 3765
    
51.         Line 5175: 116.162.2.123 - - [23/Aug/2020:20:36:57 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-icons_222222_256x240.png HTTP/1.1" 200 3765
    
52.         Line 5176: 116.162.2.123 - - [23/Aug/2020:20:36:57 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-bg_glass_75_dadada_1x400.png HTTP/1.1" 200 126
    
53.         Line 5177: 116.162.2.123 - - [23/Aug/2020:20:36:58 +0800] "GET /pma/themes/pmahomme/jquery/images/ui-bg_glass_65_ffffff_1x400.png HTTP/1.1" 200 73
    
54.         Line 5178: 116.162.2.123 - - [23/Aug/2020:20:36:58 +0800] "POST /pma/server_databases.php HTTP/1.1" 200 1659

复制代码

进去之后就一直再翻看数据库的信息。表信息。之类的。然后再

2020-08-23 20:36:58  116.162.2.123 IP 进行了删除数据库操作

进行对IP 116.162.2.123 追查

开始时间 到结束时间

2020-08-23 20:21:58-->2020-08-23 20:36:59

最开始进来的时间2020-08-23 20:21:58

这里应该是一个家庭地址

123.180.43.141   

删除数据库

1. Line 5246: 123.180.43.141 - - [23/Aug/2020:20:38:40 +0800] "POST /pma/server_databases.php HTTP/1.1" 200 2022
   

复制代码

数据库具体

对IP:123.180.43.141 进行追踪

开始时间 到结束时间

2020-08-23 20:35:01-->2020-08-23 20:39:14

最开始进来的时间2020-08-23 20:35:01

也是一个家庭宽带地址。

223.91.116.45  

非法对数据库进行建立数据库操作

开始时间和结束时间

2020-08-23 19:23:05  --->  2020-08-23 20:41:31

最开始的时间

退出之后的时间

进行了非法建立数据操作

解开URL

1. 223.91.116.45 - - [23/Aug/2020:20:40:39  0800] "GET /pma/tbl_structure.php?server=1&db=九神牛逼 QQ2356241&token=407d413d6e4b6443472959642658596a&goto=db_structure.php&table=牛你麻痹&ajax_request=true&ajax_page_request=true&_nocache=1598186728165247385&token=407d413d6e4b6443472959642658596a HTTP/1.0" 200 7146

复制代码

在数据库体现为

58.215.120.65  

进行脱裤

开始时间和结束时间

2020-08-23 19:28:59  --->  2020-08-23 19:56:48

一共是大概是十多个非法IP进行了非法操作如下：

1. 60.10.139.242   --->建立数据库
   
2. 
   
3. 116.198.15.2   --->扫描
   
4. 
   
5. 122.96.47.112          -->建立数据库
   
6. 
   
7. 183.7.83.200        -->建立数据库
   
8. 
   
9. 60.10.139.242 -->建立数据库
   
10. 
    
11. 123.180.43.141        -->建立数据库
    
12. 
    
13. 223.91.116.45 -->建立数据库
    
14. 
    
15. 223.116.223.11        -->操控数据库
    
16. 
    
17. 183.197.10.124 -->操控数据库
    
18. 
    
19. 58.215.120.65 -->脱裤
    
20. 
    
21. 223.91.116.45        -->操作数据库操作
    
22. 
    
23. 116.162.2.123 删除数据库

复制代码

最后总结一句：

破坏计算机判刑极严，切勿以身试法：

刑法第二百八十六条：违反国家规定，对计算机信息系统功能进行删除、修改、增加、干扰，造成计算机信息系统不能正常运行，
后果严重的，处五年以下有期徒刑或者拘役；后果特别严重的，处五年以上有期徒刑。




此次事件的客户需要协助报警的请联系QQ: 1249648969
网络不是法外之地。

小强哥是没有把话说完，当我们能知道你在长沙岳麓区的时候如果网警深究下去，是可以直接上门来跟你握手的。
谨记："违反国家规定，对计算机信息系统功能进行删除、修改、增加、干扰，造成计算机信息系统不能正常运行，后果严重的，处五年以下有期徒刑或者拘役；后果特别严重的，处五年以上有期徒刑。"

我们这边有一台测试机直接被不知道怎么通过 mysql 提权 root 后 rm -rf /www; rm -rf /* --no-preserve-root
别的日志全没了，查的时候只剩下一个 .bash_history，不过还好测试机没重要数据。