MySQL Max_allowed_packet repeatedly was reset, the original server was hacked.

Recently do a project, because the team is not in the same office location, has made an external network to do development and testing environment.

In the long period of development and testing, MySQL frequently reported that caused by:com.mysql.jdbc.PacketTooBigException:Packet for query was too large (1354 > 1024). You can change this value on the server by setting the Max_allowed_packet ' variable.

After setting the value of the Max_allowed_packet, it is reset to the default value after a while.

Finally, I found out that I was hacked.

First, turn on the MySQL log and record all SQL execution commands.

Mysql>Show variables like '%log%';+-----------------------------------------+---------------------------------+|Variable_name|Value|+-----------------------------------------+---------------------------------+|Back_log|  -                              ||Binlog_cache_size| 32768                           ||Binlog_direct_non_transactional_updates| OFF                             ||Binlog_format|STATEMENT||Expire_logs_days| 0                               ||General_log| OFF                             ||General_log_file| /var/Run/Mysqld/Mysqld.Log      ||Innodb_flush_log_at_trx_commit| 1                               ||Innodb_locks_unsafe_for_binlog| OFF                             ||Innodb_log_buffer_size| 1048576                         ||Innodb_log_file_size| 5242880                         ||Innodb_log_files_in_group| 2                               ||Innodb_log_group_home_dir|./                              ||Innodb_mirrored_log_groups| 1                               || Log                                     | OFF                             ||Log_bin| OFF                             ||Log_bin_trust_function_creators| OFF                             ||Log_bin_trust_routine_creators| OFF                             ||Log_error| /var/Log/Mysqld.Log             ||Log_output| FILE                            ||Log_queries_not_using_indexes| OFF                             ||Log_slave_updates| OFF                             ||Log_slow_queries| OFF                             ||Log_warnings| 1                               ||Max_binlog_cache_size| 18446744073709547520            ||Max_binlog_size| 1073741824                      ||Max_relay_log_size| 0                               ||Relay_log|                                 ||Relay_log_index|                                 ||Relay_log_info_file|Relay-Log. info||Relay_log_purge|  on                              ||Relay_log_space_limit| 0                               ||Slow_query_log| OFF                             ||Slow_query_log_file| /var/Run/Mysqld/Mysqld-Slow.Log ||Sql_log_bin|  on                              ||Sql_log_off| OFF                             ||Sql_log_update|  on                              ||Sync_binlog| 0                               |+-----------------------------------------+---------------------------------+ -Rowsinch Set(0.00Sec

mysql> Set Global general_log = on;
Query OK, 0 rows affected (0.01 sec)

Two, the next day to get the log file (/var/run/mysqld/mysqld-slow.log)

A large number of modification traces and SQL injections were found.

Learned from log, there are many IP logins, there are all over the country, and the United States, mainly carried out these operations: modify the MySQL-related security parameters, set some variable values, download the script from an address, and execute (should be a Trojan).

Iii. Temporary Solutions:

1, re-install the system, or download anti-virus software.

2, open the firewall, only the port to provide services.

3, user name and password are set a bit more complex.

MySQL Max_allowed_packet repeatedly was reset, the original server was hacked.