SHARE
TWEET

MYSQL Watcher v2

a guest Feb 19th, 2012 273 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #NoTrayIcon
  2. #include <File.au3>
  3. #include <Array.au3>
  4. #include <String.au3>
  5.  
  6. #cs
  7.  
  8. I'm simple MYSQL Server watcher.V2
  9. 1)Added logging (default will create logs directory on the same dir with [SELF].exe)
  10. 2)More clear way to kill Command: QUERY (ignoring Sleep state)
  11. 3) Added Autostart Option.
  12. Uses:(Hardcoded)
  13. Default: MYSQL Server Host: 127.0.0.1
  14. Default: MYSQL Server port: 3306
  15. NOTE*: It will also KILL Persistent connections to MYSQL Server.
  16.  
  17.  
  18. Log file format will be:     [*Which is usefull for investigating things*]
  19.  
  20. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ BEOF LOG FILE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  21.  
  22. ####################################################################################################
  23. Possible DOS Attack Against MYSQL Server [Prevented]
  24. Attack Prevented on: 17:43:48:421 19/02/2012
  25. Attack Duration: 43 seconds
  26. Command: Query
  27.      db: somegranteddatabase
  28.    Host: 192.168.0.15:1075
  29.    User: malicioususer
  30.      Id: 237
  31.    Time: 41
  32.   State: executing
  33.    Info: select benchmark(9999999999999999999999,repeat('AAAAAAAAAAAAAAAAAAAA',100))
  34. ####################################################################################################
  35.  
  36.  
  37. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EOF LOG FILE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  38.  
  39.  
  40. My goal is to monitor mysql server for malicious queries which sits more than 10 seconds + which can cause Denial of Service
  41. (In eg: High CPU Load,High Memory Load etc.)
  42. (IN eg:         select benchmark(500000000005,'!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');    )
  43. I'm a Autoitscript file.
  44. (For compile http://autoitscript.com/)
  45. You can compile me to standalaone executable (x64 && x86).
  46. And you can use me on your server.
  47. But always make sure i'm not world readable or writeable plus is not spoofable by users.
  48. Finally i'm For Windows OS.
  49. No need to add me to task scheduler just Add me to Autostart i will loop every 12 seconds and monitor mysql server for
  50. malicious SQL statements (assuming Denial of Service) and i will kill it for you.
  51.  
  52. I'm from Scratch and a bit lame :)
  53.  
  54. Tested on: MYSQL Server 5.5.17 Win (32bit)
  55.  
  56. 1329657145
  57.  
  58. Sorry for my English(not native)
  59.  
  60. Author: kuku kuku
  61.  
  62. http://forums.mysql.com/read.php?35,516054,516054#msg-516054
  63.  
  64. #ce
  65.  
  66.  
  67.  
  68.  
  69. Dim $myarr; do not remove.
  70.  
  71.  
  72. ;######################################### SPECIFY VALID MYSQL ROOT PASSWORD AND COMPILE ME. ##################################
  73.  
  74.  
  75. $mysqlrootuser='root'; //root user name
  76. $mysqlrootpsswd='YOUR_PASSWORD_GOES_HERE';// root password
  77.  
  78.  
  79.  
  80. $makeautostart=0; // default value=0       (zero)
  81. #cs
  82.  
  83. $makeautostart is for autostart of application when user logs in.
  84. Possible values:
  85. 0     Do not start application when user logs in to system.(You need o start mysqlwatcher manually)
  86. 1     Means start application when user logs in.(Automatically)
  87.  
  88.                          *FOR HIGH SECURITY(i know it is illusion) (IT IS RECOMENDED) TO INSTALL YOUR MYSQL SERVER ON ANOTHER BOX.*
  89.  WHICH WILL PREVENT STEALING OF YOUR APPLICATION(i assume will prevent from Reverce code Engineering-because mysqlwatcher contains MYSQL server root password!)
  90. Here is how i'm doing it:
  91.  
  92. 192.168.0.1 (MYSQL SERVER INSTALLED HERE) and my mysql watcher runs there(it is not connected to internet)(internal network)
  93.  
  94. 192.168.0.15 (Apache+PHP+FTP+MAIL SERVER) installed here + with Software restriction policy(Obviously it is connected to internet)
  95.  
  96. Using this way you can secure your MYSQL SERVER + mysql watcher from *UNO's* xD)
  97.  
  98. #ce
  99.  
  100.  
  101. ;#############################################################################################################################
  102.  
  103.  
  104. $killifexceeds=10; seconds  (If query sits on MYSQL server more than 10 (ten seconds) killing it //default value=10 seconds
  105. $sleepinloop=12;   seconds //This is a main loop sleep time.DO not specify it to 0 (zero).Otherwise you can get HIGH CPU LOAD!!!! //defaut value=12 seconds
  106.  
  107.  
  108.  
  109. ;############################################## DO nOT CHANGE ANYTHING BELOW ################################################
  110.  
  111. MsgBox(64,"Info","Running MYSQL Server Watcher V2!",2);no need to click "OK" button.It has timeout value 2 seconds(Which means it will disappear after 2 seconds)
  112.  
  113.  
  114. $autostartkey="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
  115. $valuename="mysqlwatcherv2"
  116. $type="REG_SZ"
  117. $self=@ScriptFullPath
  118.  
  119.  
  120. if $makeautostart=1 Then
  121.         RegWrite($autostartkey,$valuename,$type,$self)
  122. Else
  123.         RegDelete($autostartkey,$valuename)
  124.         EndIf
  125.  
  126.  
  127. While 1 ;getting to loop
  128.         if not FileExists(@ScriptDir&"\logs\") Then ; checking if logs directory exists.If it is not exists creating it (We need to keep our log files there)
  129.                 DirCreate(@ScriptDir&"\logs\");creating it
  130.                 EndIf
  131.         Sleep($sleepinloop * 1000) ; sleeping every 12 seconds // 1 second=1k milliseconds
  132.  
  133. $statement='mysql -bA -h 127.0.0.1 -u' & $mysqlrootuser & ' -p' & $mysqlrootpsswd  & ' -e "show full processlist\G"'
  134. ;our statement
  135. if FileExists(@ScriptDir&"\data.ini") Then FileSetAttrib(@ScriptDir&"\data.ini","-RASHNOT",1)
  136. Runwait(@ComSpec & " /c " & $statement & '>data.ini',@ScriptDir,@SW_HIDE)
  137. ;executing mysql client from command line of OS
  138. Sleep(1000) ;sleeping 1 second(for filewrite if server high overloaded)
  139.  
  140. _FileReadToArray(@ScriptDir &"\data.ini",$myarr) ;reading temp file to array
  141. if @error Then
  142.         MsgBox(48,"Boo Boo:(","Unable to read temporary data.ini file (Will be created runtime)" & @CRLF & "Please make sure i'm in writable directory" & @CRLF & _
  143.         "Going to Restart Application.Please Wait...",20)
  144.         Run(@ComSpec & " /c " & '"' & @ScriptFullPath & '"',@ScriptDir,@SW_HIDE)
  145.         if FileExists(@ScriptDir&"\data.ini") Then FileSetAttrib(@ScriptDir&"\data.ini","-RASHNOT",1)
  146.         FileDelete(@ScriptDir &"\data.ini"); deleting of our "temporary file"
  147.         ; if any error occurs will launch new instance of application then exit from 1'st application.(i assume self exit)
  148.         Exit
  149.         Exit
  150.         EndIf
  151.  
  152. if FileExists(@ScriptDir&"\data.ini") Then FileSetAttrib(@ScriptDir&"\data.ini","-RASHNOT",1)
  153. FileDelete(@ScriptDir &"\data.ini"); deleting of our "temporary file"
  154.  
  155.  
  156.  
  157. for $i=0 To $myarr[0] ;going to enumerate array elements
  158.  
  159. if StringMid($myarr[$i],1,8)="   Time:" Then ; searching for time
  160.         if StringMid($myarr[$i],9,-1) >=$killifexceeds And $myarr[$i-1]='Command: Query' Then ;comparing it plus ignoring sleep state.Accepting only query-es
  161. Runwait(@ComSpec & " /c " & 'mysql -bA -h 127.0.0.1 -u' & $mysqlrootuser & ' -p' & $mysqlrootpsswd & ' -e '  & '"kill ' & _
  162. StringMid(StringStripWS($myarr[$i-5],8),4,-1) & '"',@ScriptDir,@SW_HIDE)
  163. ;and finally killing "malicious" query which sits more than 10 seconds.
  164.  
  165. Beep(1500,1200); Generating "beep" signal which means possible attack prevented against mysql server.
  166.  
  167. ;######################################                LOGGING        ####################################################################################
  168. FileWrite(@ScriptDir&"\logs\"&@MSEC & '_' &@SEC & '_' & @MIN &  '_'& @HOUR & ' ' & @MDAY & '_' & @MON & '_' & @YEAR & '.txt',@CRLF & _
  169. _StringRepeat('#',100) & @CRLF & _
  170. 'Possible DOS Attack Against MYSQL Server [Prevented]' & @CRLF & _
  171. 'Attack Prevented on: ' & @HOUR & ':' &@MIN  & ':' &@SEC  & ':' & @MSEC &  ' ' & @MDAY & '/' & @MON & '/' & @YEAR & @CRLF &  _
  172. 'Attack Duration:' & StringMid($myarr[$i],9,-1) & ' seconds' & @CRLF & _
  173. $myarr[$i-1] & @CRLF & $myarr[$i-2] & @CRLF & $myarr[$i-3] & @CRLF & $myarr[$i-4] & @CRLF & $myarr[$i-5] & @CRLF & $myarr[$i] & @CRLF & _
  174. $myarr[$i+1] & @CRLF & $myarr[$i+2] & @CRLF & _StringRepeat('#',100))
  175. ;logging to log file
  176. ;#########################################################################################################################################################
  177.  
  178.  
  179.                 EndIf
  180.  
  181. EndIf
  182.  
  183. Next
  184.  
  185.  
  186.  
  187. WEnd
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top