本站文章除注明转载外,均为本站原创: 转载自love wife & love life —Roger的Oracle&MySQL技术博客
本文链接地址: MySQL files is encrypted
今日某客户的阿里云MySQL数据库被比特币勒索攻击;通过远程登陆查看发现了如下信息:
[root@iz2ze8haa041iojxx2kpoyz data] # ls -ltr total 188456 -rw-r----- 1 mysql mysql 50331648 Jul 17 2018 ib_logfile1 -rw-r----- 1 mysql mysql 56 Jul 17 2018 auto.cnf drwxr-x--- 2 mysql mysql 4096 Jul 17 2018 performance_schema drwxr-x--- 2 mysql mysql 4096 Jul 17 2018 mysql drwxr-x--- 2 mysql mysql 12288 Jul 17 2018 sys -rw-r----- 1 mysql mysql 5 Dec 21 2018 izm5ei6slp0lyg8ksv21xiz.pid drwxr-x--- 2 mysql mysql 4096 Nov 12 00:33 please_read_me_vvv -rw-r----- 1 mysql mysql 509 Nov 13 14:00 ib_buffer_pool -rw-r----- 1 mysql mysql 6 Nov 13 14:00 iz2ze8haa041iojxx2kpoyz.pid -rw-r----- 1 mysql mysql 12582912 Nov 13 14:00 ibtmp1 -rw-r----- 1 mysql mysql 79691776 Nov 13 14:00 ibdata1 -rw-r----- 1 mysql mysql 50331648 Nov 13 14:00 ib_logfile0 [root@iz2ze8haa041iojxx2kpoyz please_read_me_vvv] # strings warning.frm PRIMARY InnoDB ) warning Bitcoin_Address Email warning Bitcoin_Address Email
我们可以看到产生了一个Please_read_me_vvv的文件;我们进一步查看该文件的内容发现如下:
[root@iz2ze8haa041iojxx2kpoyz please_read_me_vvv]# strings warning.ibd infimum supremum To recover your lost Database send 0.03 Bitcoin (BTC) to our Bitcoin address 15kC34VHccYFD7VAAK2oT8JnDNEWUitAFw and contact us by Email with your Server IP or Domain name and a Proof of Payment. Your Database is downloaded and backed up on our servers. Backups that we have right now: tecbjyxh. Any email without your server IP Address or Domain Name and a Proof of Payment together will be ignored. If we dont receive your payment in the next 10 Days, we will delete your backup.15kC34VHccYFD7VAAK2oT8JnDNEWUitAFwsqlbackup2019@pm.me infimum supremum To recover your lost Database send 0.03 Bitcoin (BTC) to our Bitcoin address 15kC34VHccYFD7VAAK2oT8JnDNEWUitAFw and contact us by Email with your Server IP or Domain name and a Proof of Payment. Your Database is downloaded and backed up on our servers. Backups that we have right now: tecbjyxh. Any email without your server IP Address or Domain Name and a Proof of Payment together will be ignored. If we dont receive your payment in the next 10 Days, we will delete your backup.15kC34VHccYFD7VAAK2oT8JnDNEWUitAFwsqlbackup2019@pm.me
很明显这就是Hacker留下的勒索信息,要获取3个比特币之后才能获得解密内容。
进一步通过innodb recover 工具扫描了整个disk,并阅读了其中几个page文件发现,内容都被加密了。
看来这个勒索病毒大致原理是:
1、备份原表
2、加密备份表并删除原表。
这里加密使用的是MySQL内置的AES加密函数,尽管如此,但是要人工破解难度还是很大的。
因此要恢复这个case难度还是比较大;需要想办法恢复被删的innodb文件才行。
从原理上分析来看和深信服团队这篇内容基本上一致,供参考https://www.freebuf.com/articles/system/213975.html。
这类攻击主要是利用MySQL弱口令进行攻击,请大家注意!
