记录一次Mysql数据库被勒索攻击的过程

2023-07-25T11:49:20.913169Z 428 [Warning] [MY-010058] [Server] Hostname 'apzg-0729a-073.stretchoid.com' does not resolve to '162.243.133.45'.2023-07-25T12:01:02.510918Z 489 [Warning] [MY-010055] [Server] IP address '185.167.96.150' could not be resolved: Name or service not known2023-07-25T12:05:49.674369Z 515 [Warning] [MY-010055] [Server] IP address '45.91.171.169' could not be resolved: Name or service not known2023-07-25T14:17:41.344522Z 1181 [Warning] [MY-010055] [Server] IP address '168.138.132.67' could not be resolved: Name or service not known2023-07-25T14:29:12.694843Z 1322 [Warning] [MY-010057] [Server] IP address '104.199.31.214' has been resolved to the host name '214.31.199.104.bc.googleusercontent.com', which resembles IPv4-address itself.2023-07-25T14:49:37.522190Z 1424 [Warning] [MY-010055] [Server] IP address '159.203.74.55' could not be resolved: Name or service not known2023-07-25T15:04:35.548966Z 1505 [Warning] [MY-010055] [Server] IP address '203.177.99.82' could not be resolved: Name or service not known2023-07-25T15:04:38.597247Z 1508 [Warning] [MY-010055] [Server] IP address '193.142.146.118' could not be resolved: Name or service not knownmbind: Operation not permitted2023-07-25T18:42:32.629024Z 2822 [Warning] [MY-010055] [Server] IP address '185.233.19.136' could not be resolved: Name or service not known2023-07-25T19:58:35.473053Z 3279 [Warning] [MY-010056] [Server] Host name '192-227-193-109-host.colocrossing.com' could not be resolved: Name or service not known2023-07-25T23:02:39.578650Z 4384 [Warning] [MY-010055] [Server] IP address '183.136.225.31' could not be resolved: Name or service not known2023-07-25T23:30:26.633669Z 4552 [Warning] [MY-010058] [Server] Hostname 'azpg-0725n-067.stretchoid.com' does not resolve to '162.243.136.20'.2023-07-26T00:37:46.158972Z 4956 [Warning] [MY-010055] [Server] IP address '117.22.109.126' could not be resolved: Name or service not knownmbind: Operation not permittedmbind: Operation not permittedmbind: Operation not permittedmbind: Operation not permittedmbind: Operation not permittedmbind: Operation not permittedmbind: Operation not permittedmbind: Operation not permittedmbind: Operation not permittedmbind: Operation not permittedmbind: Operation not permitted2023-07-26T06:49:11.531543Z 0 [Warning] [MY-010909] [Server] /usr/sbin/mysqld: Forcing close of thread 4969 user: 'root'.2023-07-26T06:49:13.438557Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.15) MySQL Community Server - GPL.2023-07-26T07:36:04.612657Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.2023-07-26T07:36:04.612823Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.15) starting as process 12023-07-26T07:36:09.044323Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.2023-07-26T07:36:09.303084Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.2023-07-26T07:36:09.618601Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.15' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.2023-07-26T07:36:09.949736Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Socket: '/var/run/mysqld/mysqlx.sock' bind-address: '::' port: 330602023-07-26T07:36:19.888847Z 8 [Warning] [MY-010055] [Server] IP address '172.17.0.1' could not be resolved: Name or service not known2023-07-26T07:36:30.234776Z 9 [Warning] [MY-010055] [Server] IP address '117.22.109.126' could not be resolved: Name or service not knownmbind: Operation not permittedmbind: Operation not permittedmbind: Operation not permitted2023-07-26T07:39:51.886740Z 0 [Warning] [MY-010909] [Server] /usr/sbin/mysqld: Forcing close of thread 13 user: 'ylcloud'.2023-07-26T07:39:51.887511Z 0 [Warning] [MY-010909] [Server] /usr/sbin/mysqld: Forcing close of thread 14 user: 'ylcloud'.2023-07-26T07:39:53.863003Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.15) MySQL Community Server - GPL.2023-07-26T07:48:44.976757Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.2023-07-26T07:48:44.976917Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.15) starting as process 12023-07-26T07:48:49.690285Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.2023-07-26T07:48:49.746831Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.2023-07-26T07:48:50.179890Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.0.15' socket: '/var/run/mysqld/mysqld.sock' port: 3306 MySQL Community Server - GPL.2023-07-26T07:48:50.322060Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Socket: '/var/run/mysqld/mysqlx.sock' bind-address: '::' port: 330602023-07-26T08:01:53.402892Z 8 [Warning] [MY-010055] [Server] IP address '117.22.109.126' could not be resolved: Name or service not known

三、分析连接IP归属地信息

185.167.96.150:中国广东省深圳市南山区高新南一道8号腾讯大厦。
45.91.171.169:德国。
168.138.132.67:中国浙江省杭州市西湖区文三路478号浙江大学玉泉校区。
104.199.31.214:中国河南省郑州市金水区经三路8号中原工业大学。
159.203.74.55:中国江苏省南京市鼓楼区汉中路88号南京大学。
203.177.99.82:新加坡。
193.142.146.118:中国浙江省杭州市西湖区文三路478号浙江大学玉泉校区。
185.233.19.136:中国广东省深圳市南山区高新南一道8号腾讯大厦。
183.136.225.31:中国广东省广州市天河区黄埔大道西600号华南理工大学。
117.22.109.126:中国台湾省台北市中正区忠孝东路二段22号国立政治大学。