MySQL attack and battle caused by Max_allowed_packet

1. Causes

The SQL statement for the program is longer. Max_allowed_packet default is 1024. Then the error was made. Start by manually changing the global max_allowed_packet , After the change. Inexplicable wonderful was restored. Later changes to the configuration file still do not work (in fact, the configuration file did not take effect in the beginning, and later found). It's been a few times. It's not good to be annoyed. So yesterday Baidu. One of them said to have been hacked. It is recommended to open General_log Log for a look at the record. I'm going to try.

2. The current

The log was opened yesterday. Check it out this morning. It was wrong to look at it. Sure enough to be hacked.

It might have been breached before. Smooth login. Look at the system version. Then start the authorization. Then started to join a user.

Look up the IP address. Shaoxing, Zhejiang.

Connection record

Trojan horse files. I went to the catalogue. There are already several Trojans. The name is different. No wonder antivirus software reported virus. The reason is here.

3. First round

Remove the hacker's new user first. The root user does not allow remote logins. A new user was created. The result is that the database is still not connected at night. Intermittent

Constant brute force password. Although root login is forbidden. But this feeling is a bit of a DDoS. I can't connect myself.

4. Second round

The default is 3306. Hackers can scan by software. Brute force. Then change the port. I can make a smooth connection.

5. PostScript

This is really so close to the first contact with hackers. Used to be their own hands. Click Unknown installation program what will be in the Trojan horse. It's really a good idea to see their SQL statements this time. I don't know much about myself.

such as writing files and so on. Not paying attention to the statement that makes the file run. I think it should also automatically load the Trojan to let it run.

I really didn't pay much attention to safety in the past. I think it's just a matter of restricting the user and changing the port. I don't think he can do it. In fact, the port is more important after the change.

I think he's going to sweep the port.

The second part of the picture above is seen in the morning. There is also a part of the night can not go up to see. Just put it together.

Here are some of the commands that we use this time.

Check to see if the log is turned on

' %general_log% '--see if it opens Set Global General_log = on --set to turn on set GLOBAL general_log_file='g:\\mysql.log'-- Log path

Although the comparison takes place. But it doesn't feel right. Or a day or two to see if there is an exception. It's worth it. And there's no need to restart the MySQL service

This is the MySQL free installation version of the test machine. Start comparing. Double-click on Mysqld.exe.

Close the command in the Bin directory. Hold down SHIFT. Right-click there is a command window to run here. Then do the following.

installation directory bin\ mysqladmin-uroot-p shutdown

Show user Permissions

 for [Email protected] ' localhost ';

View User

Select  from Mysql.user

Insert User

' username '@'host'password'

Authorized

' User name '@'%'

Talk about this. Change the port. There is a My-default.ini file in this free-to-install directory. It is not enabled to change this directly. A copy of the name will be renamed to My.ini.

To change the port is in this configuration file plus a sentence port=xxx on it.

MySQL attack and battle caused by Max_allowed_packet