MYSQL Watcher v2

#NoTrayIcon
#include <File.au3>
#include <Array.au3>
#include <String.au3>

#cs

I'm simple MYSQL Server watcher.V2
1)Added logging (default will create logs directory on the same dir with [SELF].exe)
2)More clear way to kill Command: QUERY (ignoring Sleep state)
3) Added Autostart Option.
Uses:(Hardcoded)
Default: MYSQL Server Host: 127.0.0.1
Default: MYSQL Server port: 3306
NOTE*: It will also KILL Persistent connections to MYSQL Server.


Log file format will be:     [*Which is usefull for investigating things*]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ BEOF LOG FILE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

####################################################################################################
Possible DOS Attack Against MYSQL Server [Prevented]
Attack Prevented on: 17:43:48:421 19/02/2012
Attack Duration: 43 seconds
Command: Query
     db: somegranteddatabase
   Host: 192.168.0.15:1075
   User: malicioususer
     Id: 237
   Time: 41
  State: executing
   Info: select benchmark(9999999999999999999999,repeat('AAAAAAAAAAAAAAAAAAAA',100))
####################################################################################################


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EOF LOG FILE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


My goal is to monitor mysql server for malicious queries which sits more than 10 seconds + which can cause Denial of Service
(In eg: High CPU Load,High Memory Load etc.)
(IN eg:         select benchmark(500000000005,'!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');    )
I'm a Autoitscript file.
(For compile http://autoitscript.com/)
You can compile me to standalaone executable (x64 && x86).
And you can use me on your server.
But always make sure i'm not world readable or writeable plus is not spoofable by users.
Finally i'm For Windows OS.
No need to add me to task scheduler just Add me to Autostart i will loop every 12 seconds and monitor mysql server for
malicious SQL statements (assuming Denial of Service) and i will kill it for you.

I'm from Scratch and a bit lame :)

Tested on: MYSQL Server 5.5.17 Win (32bit)

1329657145

Sorry for my English(not native)

Author: kuku kuku

http://forums.mysql.com/read.php?35,516054,516054#msg-516054

#ce


Dim $myarr; do not remove.


;######################################### SPECIFY VALID MYSQL ROOT PASSWORD AND COMPILE ME. ##################################


$mysqlrootuser='root'; //root user name
$mysqlrootpsswd='YOUR_PASSWORD_GOES_HERE';// root password


$makeautostart=0; // default value=0       (zero)
#cs

$makeautostart is for autostart of application when user logs in.
Possible values:
0     Do not start application when user logs in to system.(You need o start mysqlwatcher manually)
1     Means start application when user logs in.(Automatically)

                         *FOR HIGH SECURITY(i know it is illusion) (IT IS RECOMENDED) TO INSTALL YOUR MYSQL SERVER ON ANOTHER BOX.*
 WHICH WILL PREVENT STEALING OF YOUR APPLICATION(i assume will prevent from Reverce code Engineering-because mysqlwatcher contains MYSQL server root password!)
Here is how i'm doing it:

192.168.0.1 (MYSQL SERVER INSTALLED HERE) and my mysql watcher runs there(it is not connected to internet)(internal network)

192.168.0.15 (Apache+PHP+FTP+MAIL SERVER) installed here + with Software restriction policy(Obviously it is connected to internet)

Using this way you can secure your MYSQL SERVER + mysql watcher from *UNO's* xD)

#ce


;#############################################################################################################################


$killifexceeds=10; seconds  (If query sits on MYSQL server more than 10 (ten seconds) killing it //default value=10 seconds
$sleepinloop=12;   seconds //This is a main loop sleep time.DO not specify it to 0 (zero).Otherwise you can get HIGH CPU LOAD!!!! //defaut value=12 seconds


;############################################## DO nOT CHANGE ANYTHING BELOW ################################################

MsgBox(64,"Info","Running MYSQL Server Watcher V2!",2);no need to click "OK" button.It has timeout value 2 seconds(Which means it will disappear after 2 seconds)


$autostartkey="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
$valuename="mysqlwatcherv2"
$type="REG_SZ"
$self=@ScriptFullPath


if $makeautostart=1 Then
    RegWrite($autostartkey,$valuename,$type,$self)
Else
    RegDelete($autostartkey,$valuename)
    EndIf


While 1 ;getting to loop
    if not FileExists(@ScriptDir&"\logs\") Then ; checking if logs directory exists.If it is not exists creating it (We need to keep our log files there)
        DirCreate(@ScriptDir&"\logs\");creating it
        EndIf
    Sleep($sleepinloop * 1000) ; sleeping every 12 seconds // 1 second=1k milliseconds

$statement='mysql -bA -h 127.0.0.1 -u' & $mysqlrootuser & ' -p' & $mysqlrootpsswd  & ' -e "show full processlist\G"'
;our statement
if FileExists(@ScriptDir&"\data.ini") Then FileSetAttrib(@ScriptDir&"\data.ini","-RASHNOT",1)
Runwait(@ComSpec & " /c " & $statement & '>data.ini',@ScriptDir,@SW_HIDE)
;executing mysql client from command line of OS
Sleep(1000) ;sleeping 1 second(for filewrite if server high overloaded)

_FileReadToArray(@ScriptDir &"\data.ini",$myarr) ;reading temp file to array
if @error Then
    MsgBox(48,"Boo Boo:(","Unable to read temporary data.ini file (Will be created runtime)" & @CRLF & "Please make sure i'm in writable directory" & @CRLF & _
    "Going to Restart Application.Please Wait...",20)
    Run(@ComSpec & " /c " & '"' & @ScriptFullPath & '"',@ScriptDir,@SW_HIDE)
    if FileExists(@ScriptDir&"\data.ini") Then FileSetAttrib(@ScriptDir&"\data.ini","-RASHNOT",1)
    FileDelete(@ScriptDir &"\data.ini"); deleting of our "temporary file"
    ; if any error occurs will launch new instance of application then exit from 1'st application.(i assume self exit)
    Exit
    Exit
    EndIf

if FileExists(@ScriptDir&"\data.ini") Then FileSetAttrib(@ScriptDir&"\data.ini","-RASHNOT",1)
FileDelete(@ScriptDir &"\data.ini"); deleting of our "temporary file"


for $i=0 To $myarr[0] ;going to enumerate array elements

if StringMid($myarr[$i],1,8)="   Time:" Then ; searching for time
    if StringMid($myarr[$i],9,-1) >=$killifexceeds And $myarr[$i-1]='Command: Query' Then ;comparing it plus ignoring sleep state.Accepting only query-es
Runwait(@ComSpec & " /c " & 'mysql -bA -h 127.0.0.1 -u' & $mysqlrootuser & ' -p' & $mysqlrootpsswd & ' -e '  & '"kill ' & _
StringMid(StringStripWS($myarr[$i-5],8),4,-1) & '"',@ScriptDir,@SW_HIDE)
;and finally killing "malicious" query which sits more than 10 seconds.

Beep(1500,1200); Generating "beep" signal which means possible attack prevented against mysql server.

;######################################                LOGGING        ####################################################################################
FileWrite(@ScriptDir&"\logs\"&@MSEC & '_' &@SEC & '_' & @MIN &  '_'& @HOUR & ' ' & @MDAY & '_' & @MON & '_' & @YEAR & '.txt',@CRLF & _
_StringRepeat('#',100) & @CRLF & _
'Possible DOS Attack Against MYSQL Server [Prevented]' & @CRLF & _
'Attack Prevented on: ' & @HOUR & ':' &@MIN  & ':' &@SEC  & ':' & @MSEC &  ' ' & @MDAY & '/' & @MON & '/' & @YEAR & @CRLF &  _
'Attack Duration:' & StringMid($myarr[$i],9,-1) & ' seconds' & @CRLF & _
$myarr[$i-1] & @CRLF & $myarr[$i-2] & @CRLF & $myarr[$i-3] & @CRLF & $myarr[$i-4] & @CRLF & $myarr[$i-5] & @CRLF & $myarr[$i] & @CRLF & _
$myarr[$i+1] & @CRLF & $myarr[$i+2] & @CRLF & _StringRepeat('#',100))
;logging to log file
;#########################################################################################################################################################


        EndIf

EndIf

Next


WEnd