Find the real killer: who is connecting to my database?

Find the real killer: who is connecting to my database?

Qunyingliu

2014.10.31

Background:

Database migration needs to comb the database authentication information, the business database configuration information is relatively loose, the known has been modified but there are always some orders.

How do you find the real killer?

1. Log in to the database server to view the network links to the database:

SSH 1.1.

Netstat-ntp|grep "Database IP: Database Port"

View the connections already established on the database server, as shown in:

TCP 0 0 10.1.1.85:3306 10.2.1.33:3610 established 13025/mysqld

For a machine network connection that cannot be viewed, the source IP and port number can be determined by MySQL---->show processlist:

mysql> show processlist;+-----------+------------+----------------------+------+-------------+--- -------+----------------------------------------------------------------+-------------------------------------- ----------------------------------------------------------------+| id         | User       | Host                  | db   |  command     | time     | state                                                              | info                                                                                                      |+-----------+------------+----------------------+------+-------------+--- -------+----------------------------------------------------------------+-------------------------------------- ----------------------------------------------------------------+| 204883537 | hehe     | 10.2.1.33:3610  | null | select * from a.table  | 13428752  |sleep| null 

2. Log in to the business Server that is connected to the database, such as 10.2.1.33

View via network connection Status:

TCP 0 0 10.2.1.33:3610 10.1.1.85:3306 established 709/datasend

In general, through the network connection status can see the corresponding process ID and process name, such as PID 709, process named Datasend (a random name).

However, there are times when you encounter the following situations:

TCP 0 0 10.2.1.33:3610 10.1.1.85:3306 established-----

Where is the process ID and process name replaced by a horizontal line or a set of horizontal lines?

3. Through the Lsof-i: port number, such as lsof-i:3610, you can view the process ID and process name for that port number on the business machine.

Myhost # Lsof-i:3610command PID USER FD TYPE DEVICE size/off NODE namedatasend 709 root 3u IPv4 1600769833 0t0 TCP 10.2.1.33:3610->mydbhost:mysql (established)

PID and command have been found, if it is not clear which process, through the Ll/proc/${pid}/exe

We can find the corresponding program.

This, the corresponding machine IP, port number, process, program address, have found, can find the victim to chat and drink tea.

This article from "Ops said: from rookie to veteran" blog, please be sure to keep this source http://liuqunying.blog.51cto.com/3984207/1570529

Find the real killer: who is connecting to my database?