linux云服务器下mysql5.7被被攻击,删表,被勒索怎么办

问题描述：
以下数据库已被删除：efo, xxx。 我们有完整的备份。 要恢复它，您必须向我们的XXX地址bc1qvrgtzc06w2rjdfx8p9u789edw56dj8ffqvrcr5支付0.0075 BXX。 如果您需要证明，请通过以下…

清明小长假打算登上我的腾讯云服务器搞点事，结果发现我的项目数据库貌似连不上了？what？

拿出了我的Navicat用root用户，密码123456访问我的mysql，发现报1045，难道输错密码了？接连试了所有的密码，全部失败。

登陆服务器
查看mysql进程； ps -ef | grep mysql
结果如下图，并没有mysql的进程。

[root@VM-16-15-centos mysql-5.7.37-linux-glibc2.12-x86_64] ps -ef | grep mysql;
root       401 21612  0 11:14 pts/0    00:00:00 grep --color=auto mysql

1. 启动mysql； service mysql start

[root@VM-16-15-centos mysql-5.7.37-linux-glibc2.12-x86_64] service mysql start;
Starting MySQL. SUCCESS! 

[root@VM-16-15-centos mysql-5.7.37-linux-glibc2.12-x86_64] ps -ef | grep mysql
root       780     1  0 11:17 pts/0    00:00:00 /bin/sh /usr/local/mysql/mysql-5.7.37-linux-glibc2.12-x86_64/bin/mysqld_safe --datadir=/data/mysql --pid-file=/data/mysql/mysql.pid
mysql     1020   780  0 11:17 pts/0    00:00:00 /usr/local/mysql/mysql-5.7.37-linux-glibc2.12-x86_64/bin/mysqld --basedir=/usr/local/mysql/mysql-5.7.37-linux-glibc2.12-x86_64 --datadir=/data/mysql --plugin-dir=/usr/local/mysql/mysql-5.7.37-linux-glibc2.12-x86_64/lib/plugin --user=mysql --log-error=/var/log/mariadb/mariadb.log --pid-file=/data/mysql/mysql.pid --socket=/tmp/mysql.sock --port=3306

2. 登陆mysql

[root@VM-16-15-centos mysql-5.7.37-linux-glibc2.12-x86_64]# mysql -u root -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

报1045 (28000)

3. 使用skip-grant-tables跳过密码验证方式启动mysql；service mysql start --skip-grant-tables

[root@VM-16-15-centos mysql-5.7.37-linux-glibc2.12-x86_64] service mysql stop; #先关闭运行中的mysql服务
Shutting down MySQL.. SUCCESS! 
[root@VM-16-15-centos mysql-5.7.37-linux-glibc2.12-x86_64] service mysql start --skip-grant-tables
Starting MySQL. SUCCESS! 

4. 登陆mysql；mysql -u root -p；密码随便输入回车

[root@VM-16-15-centos mysql-5.7.37-linux-glibc2.12-x86_64] mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.7.37 MySQL Community Server (GPL)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

5. 查看mysql系统的user表，检查用户是否正常

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select user,authentication_string from user;
+---------------+-------------------------------------------+
| user          | authentication_string                     |
+---------------+-------------------------------------------+
| mysql.session | *THISISNOTAVALIDPASSWOR99HATCANBE0SEDHERE |
| mysql.sys     | *THISISNOTAVALIDPASSW8RDTHATCANBE7SEDHERE |
| mysqld        | *83D34C89B8E0F100D5476D9276D357DB4378779F |
+---------------+-------------------------------------------+
3 rows in set (0.00 sec)

mysql> 

发现并没有root用户，也被删了！
这时候用Navicat连接上数据库，给我惊呆了！

6. 添加root用户
   如报–skip-grant-tables 错误，则使用flush privileges；刷新内存权限即可。

mysql>  grant all privileges on *.* to 'root'@'localhost' identified by '12fre56huop&A2';
ERROR 1290 (HY000): The MySQL server is running with the --skip-grant-tables option so it cannot execute this statement
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on *.* to 'root'@'localhost' identified by '12fre56huop&A2';
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> 

这时候也查到root用户了

mysql> select user,authentication_string from user;
+---------------+-------------------------------------------+
| user          | authentication_string                     |
+---------------+-------------------------------------------+
| mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| mysql.sys     | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| root          | *3B29E00DDA244F88EFCFCC3D2023439E848EE5F3 |
| mysqld        | *83D24C49B8E0F100D54C6D9274D357DB43E8779F |
+---------------+-------------------------------------------+
6 rows in set (0.00 sec)

mysql> 

7. 给root用户添加远程访问权限
   更新user表host字段，刷新权限内存。
   host='%'代表运行所有ip进行远程连接，host=‘xxx.xx.x.xx’ 运行ip:xxx.xx.x.xx 连接

mysql> select user,host from user;
+---------------+-----------+
| user          | host      |
+---------------+-----------+
| mysqld        | %         |
| mysql.session | localhost |
| mysql.sys     | localhost |
| root          | localhost |
+---------------+-----------+
4 rows in set (0.00 sec)

mysql> update user set host='%' where user='root';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> select user,host from user;
+---------------+-----------+
| user          | host      |
+---------------+-----------+
| mysqld        | %         |
| root          | %         |
| mysql.session | localhost |
| mysql.sys     | localhost |
+---------------+-----------+
 rows in set (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> 

8. 到这基本上大功告成了，如果有数据需要恢复的话，可以通过bin log日志来恢复，或者从库。

linux系统中给mysql配置环境变量

修改配置文件

vim /etc/profile

输入环境变量配置

MYSQL_HOME=/usr/local/mysql/mysql-5.7.37-linux-glibc2.12-x86_64 #安装路径

export PATH=PATH=$PATH:$MYSQL_HOME/bin

export PATH MYSQL_HOME

如图即可：

重新加载配置文件

source /etc/profile

这样就可以在任何地方进入数据库，不用到数据库bin目录下了

mysql -u root -p