今日某客户的阿里云MySQL数据库被比特币勒索攻击;通过远程登陆查看发现了如下信息:
[root@iz2ze8haa041iojxx2kpoyz data]
# ls -ltr
total 188456
-rw-r----- 1 mysql mysql 50331648 Jul 17 2018 ib_logfile1
-rw-r----- 1 mysql mysql 56 Jul 17 2018 auto.cnf
drwxr-x--- 2 mysql mysql 4096 Jul 17 2018 performance_schema
drwxr-x--- 2 mysql mysql 4096 Jul 17 2018 mysql
drwxr-x--- 2 mysql mysql 12288 Jul 17 2018 sys
-rw-r----- 1 mysql mysql 5 Dec 21 2018 izm5ei6slp0lyg8ksv21xiz.pid
drwxr-x--- 2 mysql mysql 4096 Nov 12 00:33 please_read_me_vvv
-rw-r----- 1 mysql mysql 509 Nov 13 14:00 ib_buffer_pool
-rw-r----- 1 mysql mysql 6 Nov 13 14:00 iz2ze8haa041iojxx2kpoyz.pid
-rw-r----- 1 mysql mysql 12582912 Nov 13 14:00 ibtmp1
-rw-r----- 1 mysql mysql 79691776 Nov 13 14:00 ibdata1
-rw-r----- 1 mysql mysql 50331648 Nov 13 14:00 ib_logfile0
[root@iz2ze8haa041iojxx2kpoyz please_read_me_vvv]
# strings warning.frm
PRIMARY
InnoDB
)
warning
Bitcoin_Address
warning
Bitcoin_Address
我们可以看到产生了一个Please_read_me_vvv的文件;我们进一步查看该文件的内容发现如下:
[root@iz2ze8haa041iojxx2kpoyz please_read_me_vvv]# strings warning.ibd
infimum
supremum
To recover your lost Database send 0.03 Bitcoin (BTC) to our Bitcoin address 15kC34VHccYFD7VAAK2oT8JnDNEWUitAFw and contact us by Email with your Server IP or Domain name and a Proof of Payment. Your Database is downloaded and backed up on our servers. Backups that we have right now: tecbjyxh. Any email without your server IP Address or Domain Name and a Proof of Payment together will be ignored. If we dont receive your payment in the next 10 Days, we will delete your backup.15kC34VHccYFD7VAAK2oT8JnDNEWUitAFwsqlbackup2019@pm.me
infimum
supremum
To recover your lost Database send 0.03 Bitcoin (BTC) to our Bitcoin address 15kC34VHccYFD7VAAK2oT8JnDNEWUitAFw and contact us by Email with your Server IP or Domain name and a Proof of Payment. Your Database is downloaded and backed up on our servers. Backups that we have right now: tecbjyxh. Any email without your server IP Address or Domain Name and a Proof of Payment together will be ignored. If we dont receive your payment in the next 10 Days, we will delete your backup.15kC34VHccYFD7VAAK2oT8JnDNEWUitAFwsqlbackup2019@pm.me
很明显这就是Hacker留下的勒索信息,要获取3个比特币之后才能获得解密内容。
进一步通过innodb recover 工具扫描了整个disk,并阅读了其中几个page文件发现,内容都被加密了。
看来这个勒索病毒大致原理是:
1、备份原表
2、加密备份表并删除原表。
这里加密使用的是MySQL内置的AES加密函数,尽管如此,但是要人工破解难度还是很大的。
因此要恢复这个case难度还是比较大;需要想办法恢复被删的innodb文件才行。
从原理上分析来看和深信服团队这篇内容基本上一致,供参考https://www.freebuf.com/articles/system/213975.html。
这类攻击主要是利用MySQL弱口令进行攻击,请大家注意!
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
