线上xxl-job服务器不对外开放任何端口访问的,然后这个xxl的数据库账户被执行了删除操作
这个xxl的数据库账户只有xxl-java服务在用
下面是数据库审计日志
{"msg-type":"activity","date":"1681272724360","thread-id":"652396","query-id":"1837586825","user":"","priv_user":"","ip":"10.********","host":"jyb-xxl-job.asia-east2-a.c.test-302305.internal","_os":"Windows","_client_name":"libmariadb","_pid":"13172","_thread":"11972","_platform":"AMD64","_client_version":"3.2.3","_server_host":"10.170.15.196","rows":"1","status":"0","cmd":"delete","objects":[{"db":"pay-manager","name":"operator_interface_log","obj_type":"TABLE"}],"query":"DELETE FROM pay-manager.operator_interface_log WHERE id = 84137"}
改日志显示连接的系统是windows,但部署xxl。jar的服务器是linux。连接数据库的ip是xxl服务器的ip,但审计日志记录的操作系统是win
用的谷歌云服务器,也排查了ip加白端口开放的历史操作,没有任何异常的。
如果有什么需要我配合排查的,我也可以提供相应数据支持。各位看看这需要怎么排查?