下面通过一个溯源的视觉去分析这些攻击的具体流程
一、分析需要的潜在条件
1.1 phpmyadmin 访问日志(/www/wwwlogs/access.log)
1.2 数据库二进制日志(/www/server/data/bin-log-00001)
那么通过两样东西可以溯源出攻击者到底是怎么样的对你的数据库进行了增删查改
本文例子来自某位客户。已经向公安机关报警处理。
二、分析过程
被删除的数据库:qf1999 qf1998 qf1997 qf1996 qf1995 qf1994
access_log (phpmyadmin日志)
Mysql-bin.tar.gz (mysql二进制日志)
审计数据库日志+网站日志
首先需要把二进制日志解密
/www/server/mysql/bin/mysqlbinlog --start-datetime='2020-08-10 00:00:00' --stop-datetime='2020-08-24 16:01:01' mysql-bin.000015 >1.txt
首先是还原出sql 语句。然后进行搜索 DROP
把最前面的时间,解成可以认识的时间
这里已经找到了时间了2020-08-23 20:36:57
然后再日志里面找到相应的URL 即可
通过上面的已经可以看出来了。
他首先是获取到了数据库名。然后通过POST /pma/server_databases.php 进行删除数据库
具体的日志如下:
116.162.2.123 - - \[23/Aug/2020:20:36:58 +0800\] "POST /pma/server\_databases.php HTTP/1.1" 200 1659
那么看看他具体的做了什么
1. Line 4546: 116.162.2.123 - - \[23/Aug/2020:20:21:58 +0800\] "GET /pma HTTP/1.1" 301 301
2. Line 4609: 116.162.2.123 - - \[23/Aug/2020:20:22:01 +0800\] "POST /pma/ajax.php HTTP/1.1" 200 1636
3. Line 4625: 116.162.2.123 - - \[23/Aug/2020:20:22:02 +0800\] "POST /pma/ajax.php HTTP/1.1" 200 153
4. Line 4635: 116.162.2.123 - - \[23/Aug/2020:20:22:04 +0800\] "GET /pma/server\_databases.php?lang=zh\_CN&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185617151301742&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6974
5. Line 4647: 116.162.2.123 - - \[23/Aug/2020:20:22:16 +0800\] "GET /pma/db\_structure.php?db=qf529261876&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185629063355548&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9625
6. Line 4653: 116.162.2.123 - - \[23/Aug/2020:20:22:17 +0800\] "GET /pma/navigation.php?ajax\_request=1&lang=zh\_CN&aPath=cm9vdA%3D%3D.cWY1MjkyNjE4NzY%3D&vPath=cm9vdA%3D%3D.cWY1MjkyNjE4NzY%3D&pos=0&pos2\_name=&pos2\_value=&searchClause=&searchClause2=&\_nocache=1598185629999987513&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2654
7. Line 4671: 116.162.2.123 - - \[23/Aug/2020:20:22:21 +0800\] "GET /pma/sql.php?db=qf529261876&table=shua\_shequ&pos=0&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185633976880332&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 811
8. Line 4680: 116.162.2.123 - - \[23/Aug/2020:20:22:22 +0800\] "GET /pma/index.php?ajax\_request=1&recent\_table=1&no\_debug=true&\_nocache=1598185634811871850&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1599
9. Line 4687: 116.162.2.123 - - \[23/Aug/2020:20:22:50 +0800\] "GET /pma/db\_structure.php?db=qf529261876&table=&server=1&target=&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185662820268041&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9627
10. Line 4688: 116.162.2.123 - - \[23/Aug/2020:20:22:51 +0800\] "GET /pma/server\_databases.php?db=&table=&server=1&target=&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185663730361942&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
11. Line 4690: 116.162.2.123 - - \[23/Aug/2020:20:22:53 +0800\] "GET /pma/db\_structure.php?db=qf1099&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185666016804661&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 48338
12. Line 4691: 116.162.2.123 - - \[23/Aug/2020:20:22:55 +0800\] "GET /pma/navigation.php?ajax\_request=1&lang=zh\_CN&aPath=cm9vdA%3D%3D.cWYxMDk5&vPath=cm9vdA%3D%3D.cWYxMDk5&pos=0&pos2\_name=&pos2\_value=&searchClause=&searchClause2=&\_nocache=159818566748120702&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 3938
13. Line 4692: 116.162.2.123 - - \[23/Aug/2020:20:22:57 +0800\] "GET /pma/server\_databases.php?db=&table=&server=1&target=&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185669412527903&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
14. Line 4693: 116.162.2.123 - - \[23/Aug/2020:20:22:59 +0800\] "GET /pma/db\_structure.php?db=qf1095&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185671730124437&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 5678
15. Line 4695: 116.162.2.123 - - \[23/Aug/2020:20:23:00 +0800\] "GET /pma/navigation.php?ajax\_request=1&lang=zh\_CN&aPath=cm9vdA%3D%3D.cWYxMDk1&vPath=cm9vdA%3D%3D.cWYxMDk1&pos=0&pos2\_name=&pos2\_value=&searchClause=&searchClause2=&\_nocache=1598185672482192049&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2011
16. Line 4698: 116.162.2.123 - - \[23/Aug/2020:20:23:01 +0800\] "GET /pma/server\_databases.php?db=&table=&server=1&target=&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185673774234926&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
17. Line 4699: 116.162.2.123 - - \[23/Aug/2020:20:23:03 +0800\] "GET /pma/db\_structure.php?db=qf1094&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185675585584773&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2976
18. Line 4700: 116.162.2.123 - - \[23/Aug/2020:20:23:04 +0800\] "GET /pma/navigation.php?ajax\_request=1&lang=zh\_CN&aPath=cm9vdA%3D%3D.cWYxMDk0&vPath=cm9vdA%3D%3D.cWYxMDk0&pos=0&pos2\_name=&pos2\_value=&searchClause=&searchClause2=&\_nocache=1598185676327705919&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1567
19. Line 4703: 116.162.2.123 - - \[23/Aug/2020:20:23:05 +0800\] "GET /pma/server\_databases.php?db=&table=&server=1&target=&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185677244119316&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
20. Line 4705: 116.162.2.123 - - \[23/Aug/2020:20:23:06 +0800\] "GET /pma/db\_structure.php?db=mysql&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185678588405905&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9954
21. Line 4707: 116.162.2.123 - - \[23/Aug/2020:20:23:07 +0800\] "GET /pma/navigation.php?ajax\_request=1&lang=zh\_CN&aPath=cm9vdA%3D%3D.bXlzcWw%3D&vPath=cm9vdA%3D%3D.bXlzcWw%3D&pos=0&pos2\_name=&pos2\_value=&searchClause=&searchClause2=&\_nocache=1598185679532866268&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 2712
22. Line 4708: 116.162.2.123 - - \[23/Aug/2020:20:23:07 +0800\] "GET /pma/server\_databases.php?db=&table=&server=1&target=&ajax\_request=true&ajax\_page\_request=true&\_nocache=159818568012651082&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
23. Line 4710: 116.162.2.123 - - \[23/Aug/2020:20:23:09 +0800\] "GET /pma/db\_structure.php?db=qf529261876&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185682005653639&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9627
24. Line 4711: 116.162.2.123 - - \[23/Aug/2020:20:23:12 +0800\] "GET /pma/sql.php?db=qf529261876&table=shua\_shequ&pos=0&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185685005808308&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 8116
25. Line 4712: 116.162.2.123 - - \[23/Aug/2020:20:23:13 +0800\] "GET /pma/index.php?ajax\_request=1&recent\_table=1&no\_debug=true&\_nocache=159818568577118163&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1599
26. Line 4713: 116.162.2.123 - - \[23/Aug/2020:20:23:15 +0800\] "GET /pma/db\_structure.php?db=qf529261876&table=&server=1&target=&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185687616103033&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9627
27. Line 4727: 116.162.2.123 - - \[23/Aug/2020:20:24:18 +0800\] "GET /pma/sql.php?db=qf529261876&table=shua\_tools&pos=0&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185750294732339&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 14900
28. Line 4728: 116.162.2.123 - - \[23/Aug/2020:20:24:19 +0800\] "GET /pma/index.php?ajax\_request=1&recent\_table=1&no\_debug=true&\_nocache=1598185751466596245&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1611
29. Line 4729: 116.162.2.123 - - \[23/Aug/2020:20:24:20 +0800\] "GET /pma/db\_structure.php?db=qf529261876&table=&server=1&target=&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185752537108547&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9630
30. Line 4730: 116.162.2.123 - - \[23/Aug/2020:20:24:23 +0800\] "GET /pma/db\_structure.php?db=qf529261876&pos=0&sort=table&sort\_order=DESC&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185755277636777&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9581
31. Line 4731: 116.162.2.123 - - \[23/Aug/2020:20:24:28 +0800\] "GET /pma/sql.php?db=qf529261876&table=shua\_workorder&pos=0&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185760250246588&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 7184
32. Line 4732: 116.162.2.123 - - \[23/Aug/2020:20:24:29 +0800\] "GET /pma/index.php?ajax\_request=1&recent\_table=1&no\_debug=true&\_nocache=1598185761243827878&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1625
33. Line 4733: 116.162.2.123 - - \[23/Aug/2020:20:24:29 +0800\] "GET /pma/db\_structure.php?db=qf529261876&table=&server=1&target=&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185762119176774&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9630
34. Line 4736: 116.162.2.123 - - \[23/Aug/2020:20:24:45 +0800\] "GET /pma/sql.php?db=qf529261876&table=shua\_workorder&pos=0&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185777752964155&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 7185
35. Line 4738: 116.162.2.123 - - \[23/Aug/2020:20:24:46 +0800\] "GET /pma/index.php?ajax\_request=1&recent\_table=1&no\_debug=true&\_nocache=1598185778545677432&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1625
36. Line 4739: 116.162.2.123 - - \[23/Aug/2020:20:24:47 +0800\] "GET /pma/db\_structure.php?db=qf529261876&table=&server=1&target=&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185779616618888&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 9630
37. Line 4742: 116.162.2.123 - - \[23/Aug/2020:20:24:54 +0800\] "GET /pma/sql.php?db=qf529261876&table=shua\_config&pos=0&ajax\_request=true&ajax\_page\_request=true&\_nocache=1598185786412900480&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 10867
38. Line 4743: 116.162.2.123 - - \[23/Aug/2020:20:24:55 +0800\] "GET /pma/index.php?ajax\_request=1&recent\_table=1&no\_debug=true&\_nocache=1598185787487583076&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 1634
39. Line 5162: 116.162.2.123 - - \[23/Aug/2020:20:36:47 +0800\] "GET /pma/ HTTP/1.1" 200 14370
40. Line 5163: 116.162.2.123 - - \[23/Aug/2020:20:36:48 +0800\] "GET /pma/themes/pmahomme/css/theme.css?v=5.0.2&nocache=6367662178ltr&server=1 HTTP/1.1" 200 20259
41. Line 5164: 116.162.2.123 - - \[23/Aug/2020:20:36:48 +0800\] "GET /pma/js/whitelist.php?v=5.0.2 HTTP/1.1" 200 478
42. Line 5165: 116.162.2.123 - - \[23/Aug/2020:20:36:48 +0800\] "GET /pma/js/messages.php?l=zh\_CN&v=5.0.2 HTTP/1.1" 200 9709
43. Line 5166: 116.162.2.123 - - \[23/Aug/2020:20:36:49 +0800\] "POST /pma/navigation.php?ajax\_request=1 HTTP/1.1" 200 2517
44. Line 5167: 116.162.2.123 - - \[23/Aug/2020:20:36:49 +0800\] "POST /pma/ajax.php HTTP/1.1" 200 1641
45. Line 5168: 116.162.2.123 - - \[23/Aug/2020:20:36:50 +0800\] "POST /pma/version\_check.php HTTP/1.1" 200 64
46. Line 5169: 116.162.2.123 - - \[23/Aug/2020:20:36:50 +0800\] "POST /pma/ajax.php HTTP/1.1" 200 1535
47. Line 5170: 116.162.2.123 - - \[23/Aug/2020:20:36:52 +0800\] "GET /pma/server\_databases.php?ajax\_request=true&ajax\_page\_request=true&\_nocache=1598186503817237237&token=255b623043524b3c3a2e6b6d42355e49 HTTP/1.1" 200 6977
48. Line 5172: 116.162.2.123 - - \[23/Aug/2020:20:36:57 +0800\] "GET /pma/themes/pmahomme/jquery/images/ui-bg\_highlight-soft\_75\_cccccc\_1x100.png HTTP/1.1" 200 122
49. Line 5173: 116.162.2.123 - - \[23/Aug/2020:20:36:57 +0800\] "GET /pma/themes/pmahomme/jquery/images/ui-bg\_glass\_75\_e6e6e6\_1x400.png HTTP/1.1" 200 121
50. Line 5174: 116.162.2.123 - - \[23/Aug/2020:20:36:57 +0800\] "GET /pma/themes/pmahomme/jquery/images/ui-icons\_888888\_256x240.png HTTP/1.1" 200 3765
51. Line 5175: 116.162.2.123 - - \[23/Aug/2020:20:36:57 +0800\] "GET /pma/themes/pmahomme/jquery/images/ui-icons\_222222\_256x240.png HTTP/1.1" 200 3765
52. Line 5176: 116.162.2.123 - - \[23/Aug/2020:20:36:57 +0800\] "GET /pma/themes/pmahomme/jquery/images/ui-bg\_glass\_75\_dadada\_1x400.png HTTP/1.1" 200 126
53. Line 5177: 116.162.2.123 - - \[23/Aug/2020:20:36:58 +0800\] "GET /pma/themes/pmahomme/jquery/images/ui-bg\_glass\_65\_ffffff\_1x400.png HTTP/1.1" 200 73
54. Line 5178: 116.162.2.123 - - \[23/Aug/2020:20:36:58 +0800\] "POST /pma/server\_databases.php HTTP/1.1" 200 1659
进去之后就一直再翻看数据库的信息。表信息。之类的。
然后再 2020-08-23 20:36:58 116.162.2.123 IP进行了删除数据库操作
进行对IP 116.162.2.123追查
开始时间到结束时间
2020-08-23 20:21:58-->2020-08-23 20:36:59
最开始进来的时间2020-08-23 20:21:58
这里应该是一个家庭地址
223.91.116.45
非法对数据库进行建立数据库操作
开始时间和结束时间
2020-08-23 19:23:05 ---> 2020-08-23 20:41:31
最开始的时间
退出之后的时间
进行了非法建立数据操作
解开URL
223.91.116.45 - - \[23/Aug/2020:20:40:39 0800\] "GET /pma/tbl\_structure.php?server=1&db=XXXX QQ2356241&token=407d413d6e4b6443472959642658596a&goto=db\_structure.php&table=XXXX &ajax\_request=true&ajax\_page\_request=true&\_nocache=1598186728165247385&token=407d413d6e4b6443472959642658596a HTTP/1.0" 200 7146
在数据库体现为
58.215.120.65
进行脱库
开始时间和结束时间
2020-08-23 19:28:59 ---> 2020-08-23 19:56:48
一共是大概是十多个非法IP进行了非法操作如下:
60.10.139.242 -->建立数据库
116.198.15.2 -->扫描
122.96.47.112 -->建立数据库
183.7.83.200 -->建立数据库
60.10.139.242 -->建立数据库
123.180.43.141 -->建立数据库
223.91.116.45 -->建立数据库
223.116.223.11 -->操控数据库
183.197.10.124 -->操控数据库
58.215.120.65 -->脱裤
223.91.116.45 -->操作数据库操作
116.162.2.123 -->删除数据库
最后总结一句:
破坏计算机判刑极严,切勿以身试法: