寄,家人们,完犊子,我数据库好像被劫持了

网络安全
1

我在docker上跑了mysql服务,搭了个new api自己使用。今天发现好像用不了了,去查看mysql容器直接停了,查看数据库one api数据库直接不见了,变成了这个:

image
image735×365 13.1 KB

这是表中的内容(我直接挂图片吧,我朋友说那个链接可能是记录ip的,我怕佬友们误点了):
IMG20240602022844
IMG20240602022844717×237 32.3 KB

然后这是mysql容器的日志:

2024-05-30T05:04:44.594325Z 0 [System] [MY-015015] [Server] MySQL Server - start.
2024-05-30T05:04:46.791335Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.3.0) starting as process 1
2024-05-30T05:04:46.888693Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2024-05-30T05:04:48.311408Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2024-05-30T05:04:49.216394Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2024-05-30T05:04:49.217555Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2024-05-30T05:04:49.231793Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2024-05-30T05:04:49.476850Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
2024-05-30T05:04:49.477804Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.3.0'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.
2024-05-30T05:37:40.805695Z 0 [System] [MY-013172] [Server] Received SHUTDOWN from user <via user signal>. Shutting down mysqld (Version: 8.3.0).
2024-05-30T05:37:44.531612Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.3.0)  MySQL Community Server - GPL.
2024-05-30T05:37:44.533039Z 0 [System] [MY-015016] [Server] MySQL Server - end.
2024-05-30 13:37:52+08:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.3.0-1.el8 started.
2024-05-30 13:37:53+08:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
2024-05-30 13:37:53+08:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.3.0-1.el8 started.
'/var/lib/mysql/mysql.sock' -> '/var/run/mysqld/mysqld.sock'
2024-05-30T05:37:54.108403Z 0 [System] [MY-015015] [Server] MySQL Server - start.
2024-05-30T05:37:56.695089Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.3.0) starting as process 1
2024-05-30T05:37:56.793288Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2024-05-30T05:37:58.026725Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2024-05-30T05:37:58.583600Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2024-05-30T05:37:58.585309Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2024-05-30T05:37:58.589505Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2024-05-30T05:37:58.680447Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
2024-05-30T05:37:58.683028Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.3.0'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.
2024-06-01T16:20:12.477600Z 3822 [System] [MY-013172] [Server] Received SHUTDOWN from user root. Shutting down mysqld (Version: 8.3.0).
2024-06-01T16:20:14.187725Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.3.0)  MySQL Community Server - GPL.
2024-06-01T16:20:14.189579Z 0 [System] [MY-015016] [Server] MySQL Server - end.
2024-06-02 01:47:57+08:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.3.0-1.el8 started.
2024-06-02 01:47:58+08:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
2024-06-02 01:47:58+08:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.3.0-1.el8 started.
'/var/lib/mysql/mysql.sock' -> '/var/run/mysqld/mysqld.sock'
2024-06-01T17:47:58.648676Z 0 [System] [MY-015015] [Server] MySQL Server - start.
2024-06-01T17:47:59.763513Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.3.0) starting as process 1
2024-06-01T17:47:59.819055Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2024-06-01T17:48:00.769907Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2024-06-01T17:48:01.707624Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2024-06-01T17:48:01.708744Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2024-06-01T17:48:01.725357Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2024-06-01T17:48:02.015656Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
2024-06-01T17:48:02.029651Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '8.3.0'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.

除此之外,vps我只开了秘钥登录,日志也没有异常登录

2 个赞
2

没备份就重头来吧
弱口令还暴露在公网上了?

2 个赞
3

没见过,mark一下

4

之前不太懂这些,在本机上用Navicat连着。以后长记性了,强密码加关闭公网访问 :sob:

5

还好不是什么太重要的数据(如付款资料等)

6

yes,长记性了,之前看坛里也有大佬发过类似帖子,当时还没注意,结果现在变成我是Jocker了

7

遇到过,换强密码和换端口号完美解决

1 个赞
8

数据库放公网上,一定要用强密码,比如我的数据库就是24个随机字符的密码,反正用的时候都是复制粘贴,也不会自己手敲。

端口其实很简单,如果不想改配置换端口,可以直接nginx tcp转发换个端口。

1 个赞
9

谢谢佬

10

都是容器服务也可以用link访问
说起来黑客还挺多的,我之前也被黑客盗刷过2k购物卡,PayPal 是先赔给我再自己追回去了,不得不说人家服务挺牛的毕竟这感觉是我自己的责任

11

无了,还是重新搞吧

12

数据库不要暴露在公网上,连接的时候使用ssh隧道就行了。强密码之类看似可以,但如果数据库本身有漏洞就完了。

13

开启binlog的话 或许还能挽救你的数据

14

自用直接用sqlite多好,文件备份下,坏了复制回来,也没有hack的风险

15

噢,好的好的

16

除了 80 443 之类端口,其他非必要都不开公网
临时需要用的时候,开一下;用完就关

1 个赞
17

navicat的话不需要暴露公网,走ssh隧道访问就行

1 个赞
18

我以前也是这么干的,link安全一时爽,但如果公网访问不了后期维护还是有点麻烦的,最好还是强密码+换端口

19

没见过,mark一下

20

我远程的数据库都是连之前都是手动开一下,用完再关掉