当前位置:网站首页>The MySQL database in Alibaba cloud was attacked, and finally the data was found
The MySQL database in Alibaba cloud was attacked, and finally the data was found
2022-07-07 01:09:00 【I pretend to be strong】
Introduce
When I posted my website yesterday , I found that I couldn't go up , Because it uses springboot Written , Stored in Alibaba cloud lightweight ECS , So I went backstage to check the log , I found that I couldn't find the data .
At this time, it was found that there was a problem with the database , Then I opened my own remote database through graphical tools , I found that all the databases I built were missing , I checked for a long time and didn't find out what was going on , At this time, I found Alibaba's customer service after being reminded by others , They assigned me engineers , The engineer helped me determine the scope of the investigation
Finally, it was found by checking the binary file that it was attacked by foreign hackers
The following words probably mean to let me spend money to buy back the data, or sell my data , Fortunately, data is not very important .
And deleted all my databases
mysql Configuration of
mysql5.6.46 In Alibaba cloud server mysql database , It has been used for less than a year
binlog
What is? binlog
In simple terms , In fact, it is a log that records all addition, deletion and modification operations . We can recover the misoperated data through it , Of course, it can also be used to synchronize master-slave databases .
binlog Three models of :
①statement: Record every piece of modified data sql.
advantage : The log file is small , save io operation , Good performance .
shortcoming : Only record execution statements , Therefore, it is also necessary to ensure that the same results are obtained in the master-slave execution . So the accuracy is poor .
②row: Save which record has been modified .
advantage : It's accurate .
shortcoming : The log file is large .
③mixed: Take into account the advantages of the first two .( I belong to this )
Actual operation :
① see binlog Has it been turned on : If it's not turned on , It's completely cool , There is little chance of recovery , But you can find an attacker to buy back the data
stay mysql Enter command in :SHOW VARIABLES LIKE ‘log_bin’; As shown below
You can see Value
yes ON
If it's not turned on , You can refer to the following article ,
https://blog.csdn.net/qq_21996541/article/details/107280382
You can also use fuzzy query , See more information
③ see binlog journal :
Through the command :SHOW MASTER STATUS
; You can check which log file is currently in ,
Through the command :FLUSH LOGS;
Log files can be truncated , Redirect to a new log file , When we are actually operating , Every operation binlog Before recovery , You need to execute this command , It can ensure that the previous log file will not have new logs in this file , Impact recovery .
There will be another one when you check again after execution
then , According to the order :show variables like ‘%datadir%’; Find the path where these log files are saved
We're on the server ,cd Go to this directory , These files do exist . But these files are binary files , use cat/vi These commands cannot be viewed normally .
We need our mysqlbinlog This order is on the stage ,
First , We enter the command in the server :mysqlbinlog /www/serverl/data/mysql-bin.000020;
If you enter the above command and an error is reported , You can enter the following command
Enter the command :mysqlbinlog --no-defaults /www/server/data/mysql-bin.000020; You can see the following file information .
However, we can also mysql Enter command in :SHOW BINLOG EVENTS IN 'mysql-bin.000020';
In this way, you can also see binlog Some events recorded in :
among ,server_id =1, Because we didn't set up , It means the default host ,Pos What I understand is an offset pointer , It is similar to a time node , What operations have been completed at this time node .event_type It means the event type ,xid Business ,query Inquire about ,write rows Means insert data ,delete_rows Delete data , It's easy to recognize .
④ adopt binlog Data recovery :
By looking at , I found my data base in mysql-bin.000010
In this binary file
In this file, you can clearly see that the last operation time before my database was deleted is 7 month 2 Number 10:35:34
The time before deleting the database is 7 month 3 Number 0:20:06, It didn't stop until one o'clock .
Ah , flowers 40 Attack a useless database for more than minutes , I feel a little unworthy , And it's still in the middle of the night .
You can see the name of the deleted database , Yes 8 A database , But for me , The more important one is , A few are built during normal testing , There are few data in it ,
Just for the most important , I must get it back , As long as there is a trace .
Because for me, what is more important is a database , There are no other data , Not very important , All are restored by restoring the specified database .
Generate by the following command sql
file , And then through sql File for recovery
mysqlbinlog --no-defaults --database=xiaochengxu_ks --skip-gtids --stop-position=410161 /www/server/data/mysql-bin.000010 > /xiaochengxu_ks.sql
among xiaochengxu_ks
Is the name of the database you want to recover --stop-position=410161
The position before the deleted database corresponds to at Number followed by
/www/server/data/mysql-bin.000010
The specific location of the binary file /xiaochengxu_ks.sql
Generated from binary files sql
The location of the file
Generate corresponding sql The file is under the change directory
stay MySQL The client command line enters xaiochengxu_ks database , perform source /xiaochengxu_ks.sql Just restore the data .
You can also set the start and end points , But I don't think it's necessary , Through or through time interval
- Start locator
mysqlbinlog --start-position=249 binlog.000006 - End locator
mysqlbinlog --stop-position=249 binlog.000006
summary
I used to think that network security is not very important , That's because it didn't happen to me , These days, I feel its extremely important , Swear to pay attention to network security in the future , At the same time, strengthen your own examples , Avoid recurrence
边栏推荐
猜你喜欢
界面控件DevExpress WinForms皮肤编辑器的这个补丁,你了解了吗?
Activereportsjs 3.1 Chinese version | | | activereportsjs 3.1 English version
[Niuke] [noip2015] jumping stone
[Niuke classic question 01] bit operation
Dell Notebook Periodic Flash Screen Fault
Periodic flash screen failure of Dell notebook
资产安全问题或制约加密行业发展 风控+合规成为平台破局关键
动态规划思想《从入门到放弃》
随时随地查看远程试验数据与记录——IPEhub2与IPEmotion APP
重上吹麻滩——段芝堂创始人翟立冬游记
随机推荐
《安富莱嵌入式周报》第272期:2022.06.27--2022.07.03
随时随地查看远程试验数据与记录——IPEhub2与IPEmotion APP
Atomic in golang and CAS operations
实现mysql与ES的增量数据同步
OSPF configuration command of Huawei equipment
Chenglian premium products has completed the first step to enter the international capital market by taking shares in halber international
"Exquisite store manager" youth entrepreneurship incubation camp - the first phase of Shunde market has been successfully completed!
Tensorflow 1.14 specify GPU running settings
MySQL中回表的代价
Address information parsing in one line of code
fastDFS数据迁移操作记录
[Niuke classic question 01] bit operation
[100 cases of JVM tuning practice] 05 - Method area tuning practice (Part 2)
The printf function is realized through the serial port, and the serial port data reception is realized by interrupt
[batch dos-cmd command - summary and summary] - jump, cycle, condition commands (goto, errorlevel, if, for [read, segment, extract string]), CMD command error summary, CMD error
C# 计算农历日期方法 2022
How to get started and improve test development?
Pytorch中torch和torchvision的安装
Grc: personal information protection law, personal privacy, corporate risk compliance governance
第七篇,STM32串口通信编程