Re: mysql attack

From: Joel Esler (eslerj_at_gmail.com)
Date: 07/19/05

  • Next message: W. Guhan Iyer: "Re: mysql attack"
    Date: Tue, 19 Jul 2005 15:05:33 -0400
    To: Pall Thayer <pall@fa.is>
    
    

    Pall,

    "They" aren't targeting you. What I don't understand is why you are
    just now seeing it. I've been seeing attempts like this, probably 4
    or 5x a day for months.

    Joel

    On Jul 19, 2005, at 11:30 AM, Pall Thayer wrote:

    > Hi,
    > I don't know much about diagnosing attacks but am just wondering if
    > anyone has noticed something similar to what I'm seeing. For the past
    > three days, a computer with IP number 60.48.15.154 has been bombarding
    > my mysql server with connection attempts. None appear to be
    > successful.
    > I guess it's a brute force attempt but they're coming really fast and
    > from various different ports on the other side. Really strange.
    >
    > best r.
    > Pall Thayer
    >
    > I'm running Redhat 8 with mysql server 3.23.58. The mysql port is
    > open to the outside world for several reasons. I know this is a bit
    > of a no-no but that's just the way it is. I'm not really very
    > worried about these attacks being successful. The server is very
    > secure as far as passwords and limited users and services go but
    > i'm curious as to what is going on and why they're targeting me.
    >
    > Here's a tcpdump of the traffic on the mysql port:
    >
    > 15:22:18.297149 pallit.lhi.is.mysql > 60.48.15.154.2427: S
    > 3702188471:3702188471(0) ack 1223419901 win 5840 <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:18.297532 60.48.15.154.2253 > pallit.lhi.is.mysql: . ack 118
    > win 65419 (DF)
    > 15:22:18.726717 60.48.15.154.2427 > pallit.lhi.is.mysql: . ack 1
    > win 65535 (DF)
    > 15:22:18.727164 pallit.lhi.is.mysql > 60.48.15.154.2427: P 1:45(44)
    > ack 1 win 5840 (DF) [tos 0x8]
    > 15:22:19.155084 60.48.15.154.2427 > pallit.lhi.is.mysql: P 1:24(23)
    > ack 45 win 65491 (DF)
    > 15:22:19.155195 pallit.lhi.is.mysql > 60.48.15.154.2427: . ack 24
    > win 5840 (DF) [tos 0x8]
    > 15:22:19.155268 pallit.lhi.is.mysql > 60.48.15.154.2427: P 45:117
    > (72) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:19.155281 pallit.lhi.is.mysql > 60.48.15.154.2427: F 117:117
    > (0) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:19.583862 60.48.15.154.2427 > pallit.lhi.is.mysql: . ack 45
    > win 65491 <nop,nop,sack sack 1 {117:118} > (DF)
    > 15:22:19.584269 60.48.15.154.2427 > pallit.lhi.is.mysql: . ack 118
    > win 65419 (DF)
    > 15:22:19.585087 60.48.15.154.2427 > pallit.lhi.is.mysql: F 24:24(0)
    > ack 118 win 65419 (DF)
    > 15:22:19.585106 pallit.lhi.is.mysql > 60.48.15.154.2427: . ack 25
    > win 5840 (DF)
    > 15:22:19.585496 60.48.15.154.2587 > pallit.lhi.is.mysql: S
    > 1231026484:1231026484(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    > 15:22:19.585520 pallit.lhi.is.mysql > 60.48.15.154.2587: S
    > 3754800534:3754800534(0) ack 1231026485 win 5840 <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:20.011001 60.48.15.154.2587 > pallit.lhi.is.mysql: . ack 1
    > win 65535 (DF)
    > 15:22:20.011445 pallit.lhi.is.mysql > 60.48.15.154.2587: P 1:45(44)
    > ack 1 win 5840 (DF) [tos 0x8]
    > 15:22:20.437733 60.48.15.154.2587 > pallit.lhi.is.mysql: P 1:24(23)
    > ack 45 win 65491 (DF)
    > 15:22:20.437840 pallit.lhi.is.mysql > 60.48.15.154.2587: . ack 24
    > win 5840 (DF) [tos 0x8]
    > 15:22:20.437909 pallit.lhi.is.mysql > 60.48.15.154.2587: P 45:117
    > (72) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:20.437923 pallit.lhi.is.mysql > 60.48.15.154.2587: F 117:117
    > (0) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:20.866508 60.48.15.154.2587 > pallit.lhi.is.mysql: F 24:24(0)
    > ack 117 win 65419 (DF)
    > 15:22:20.866537 pallit.lhi.is.mysql > 60.48.15.154.2587: . ack 25
    > win 5840 (DF) [tos 0x8]
    > 15:22:20.867327 60.48.15.154.2753 > pallit.lhi.is.mysql: S
    > 1239344205:1239344205(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    > 15:22:20.867350 pallit.lhi.is.mysql > 60.48.15.154.2753: S
    > 3750552724:3750552724(0) ack 1239344206 win 5840 <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:20.867735 60.48.15.154.2587 > pallit.lhi.is.mysql: . ack 118
    > win 65419 (DF)
    > 15:22:21.293241 60.48.15.154.2753 > pallit.lhi.is.mysql: . ack 1
    > win 65535 (DF)
    > 15:22:21.296430 pallit.lhi.is.mysql > 60.48.15.154.2753: P 1:45(44)
    > ack 1 win 5840 (DF) [tos 0x8]
    > 15:22:21.722424 60.48.15.154.2753 > pallit.lhi.is.mysql: P 1:24(23)
    > ack 45 win 65491 (DF)
    > 15:22:21.722536 pallit.lhi.is.mysql > 60.48.15.154.2753: . ack 24
    > win 5840 (DF) [tos 0x8]
    > 15:22:21.722596 pallit.lhi.is.mysql > 60.48.15.154.2753: P 45:117
    > (72) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:21.722608 pallit.lhi.is.mysql > 60.48.15.154.2753: F 117:117
    > (0) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:22.149566 60.48.15.154.2753 > pallit.lhi.is.mysql: F 24:24(0)
    > ack 117 win 65419 (DF)
    > 15:22:22.149592 pallit.lhi.is.mysql > 60.48.15.154.2753: . ack 25
    > win 5840 (DF) [tos 0x8]
    > 15:22:22.150383 60.48.15.154.2916 > pallit.lhi.is.mysql: S
    > 1247383525:1247383525(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    > 15:22:22.150405 pallit.lhi.is.mysql > 60.48.15.154.2916: S
    > 3758586043:3758586043(0) ack 1247383526 win 5840 <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:22.150792 60.48.15.154.2753 > pallit.lhi.is.mysql: . ack 117
    > win 65419 (DF)
    > 15:22:22.151609 60.48.15.154.2753 > pallit.lhi.is.mysql: . ack 118
    > win 65419 (DF)
    > 15:22:22.575890 60.48.15.154.2916 > pallit.lhi.is.mysql: . ack 1
    > win 65535 (DF)
    > 15:22:22.577559 pallit.lhi.is.mysql > 60.48.15.154.2916: P 1:45(44)
    > ack 1 win 5840 (DF) [tos 0x8]
    > 15:22:23.004256 60.48.15.154.2916 > pallit.lhi.is.mysql: P 1:24(23)
    > ack 45 win 65491 (DF)
    > 15:22:23.008453 pallit.lhi.is.mysql > 60.48.15.154.2916: . ack 24
    > win 5840 (DF) [tos 0x8]
    > 15:22:23.008531 pallit.lhi.is.mysql > 60.48.15.154.2916: P 45:117
    > (72) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:23.008546 pallit.lhi.is.mysql > 60.48.15.154.2916: F 117:117
    > (0) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:23.435485 60.48.15.154.2916 > pallit.lhi.is.mysql: F 24:24(0)
    > ack 117 win 65419 (DF)
    > 15:22:23.435518 pallit.lhi.is.mysql > 60.48.15.154.2916: . ack 25
    > win 5840 (DF) [tos 0x8]
    > 15:22:23.435893 60.48.15.154.3085 > pallit.lhi.is.mysql: S
    > 1255911271:1255911271(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    > 15:22:23.435918 pallit.lhi.is.mysql > 60.48.15.154.3085: S
    > 3759630820:3759630820(0) ack 1255911272 win 5840 <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:23.437119 60.48.15.154.2916 > pallit.lhi.is.mysql: . ack 118
    > win 65419 (DF)
    > 15:22:23.861399 60.48.15.154.3085 > pallit.lhi.is.mysql: . ack 1
    > win 65535 (DF)
    > 15:22:23.861850 pallit.lhi.is.mysql > 60.48.15.154.3085: P 1:45(44)
    > ack 1 win 5840 (DF) [tos 0x8]
    > 15:22:24.288949 60.48.15.154.3085 > pallit.lhi.is.mysql: P 1:24(23)
    > ack 45 win 65491 (DF)
    > 15:22:24.289044 pallit.lhi.is.mysql > 60.48.15.154.3085: . ack 24
    > win 5840 (DF) [tos 0x8]
    > 15:22:24.289103 pallit.lhi.is.mysql > 60.48.15.154.3085: P 45:117
    > (72) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:24.289118 pallit.lhi.is.mysql > 60.48.15.154.3085: F 117:117
    > (0) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:24.715681 60.48.15.154.3085 > pallit.lhi.is.mysql: F 24:24(0)
    > ack 117 win 65419 (DF)
    > 15:22:24.715710 pallit.lhi.is.mysql > 60.48.15.154.3085: . ack 25
    > win 5840 (DF) [tos 0x8]
    > 15:22:24.716497 60.48.15.154.3249 > pallit.lhi.is.mysql: S
    > 1263954421:1263954421(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    > 15:22:24.716526 pallit.lhi.is.mysql > 60.48.15.154.3249: S
    > 3752740473:3752740473(0) ack 1263954422 win 5840 <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:24.716906 60.48.15.154.3085 > pallit.lhi.is.mysql: . ack 118
    > win 65419 (DF)
    > 15:22:25.143231 60.48.15.154.3249 > pallit.lhi.is.mysql: . ack 1
    > win 65535 (DF)
    > 15:22:25.143963 pallit.lhi.is.mysql > 60.48.15.154.3249: P 1:45(44)
    > ack 1 win 5840 (DF) [tos 0x8]
    > 15:22:25.569966 60.48.15.154.3249 > pallit.lhi.is.mysql: P 1:24(23)
    > ack 45 win 65491 (DF)
    > 15:22:25.570068 pallit.lhi.is.mysql > 60.48.15.154.3249: . ack 24
    > win 5840 (DF) [tos 0x8]
    > 15:22:25.570146 pallit.lhi.is.mysql > 60.48.15.154.3249: P 45:117
    > (72) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:25.570159 pallit.lhi.is.mysql > 60.48.15.154.3249: F 117:117
    > (0) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:25.999147 60.48.15.154.3249 > pallit.lhi.is.mysql: F 24:24(0)
    > ack 117 win 65419 (DF)
    > 15:22:25.999173 pallit.lhi.is.mysql > 60.48.15.154.3249: . ack 25
    > win 5840 (DF) [tos 0x8]
    > 15:22:25.999963 60.48.15.154.3249 > pallit.lhi.is.mysql: . ack 118
    > win 65419 (DF)
    > 15:22:26.000372 60.48.15.154.3425 > pallit.lhi.is.mysql: S
    > 1272492900:1272492900(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    > 15:22:26.000395 pallit.lhi.is.mysql > 60.48.15.154.3425: S
    > 3708372058:3708372058(0) ack 1272492901 win 5840 <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:26.430784 60.48.15.154.3425 > pallit.lhi.is.mysql: . ack 1
    > win 65535 (DF)
    > 15:22:26.431572 pallit.lhi.is.mysql > 60.48.15.154.3425: P 1:45(44)
    > ack 1 win 5840 (DF) [tos 0x8]
    > 15:22:26.857516 60.48.15.154.3425 > pallit.lhi.is.mysql: P 1:24(23)
    > ack 45 win 65491 (DF)
    > 15:22:26.859179 pallit.lhi.is.mysql > 60.48.15.154.3425: . ack 24
    > win 5840 (DF) [tos 0x8]
    > 15:22:26.859295 pallit.lhi.is.mysql > 60.48.15.154.3425: P 45:117
    > (72) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:26.859307 pallit.lhi.is.mysql > 60.48.15.154.3425: F 117:117
    > (0) ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:27.285883 60.48.15.154.3425 > pallit.lhi.is.mysql: F 24:24(0)
    > ack 117 win 65419 (DF)
    > 15:22:27.285908 pallit.lhi.is.mysql > 60.48.15.154.3425: . ack 25
    > win 5840 (DF) [tos 0x8]
    > 15:22:27.286291 60.48.15.154.3425 > pallit.lhi.is.mysql: . ack 118
    > win 65419 (DF)
    > 15:22:27.286699 60.48.15.154.3591 > pallit.lhi.is.mysql: S
    > 1280677001:1280677001(0) win 65535 <mss 4034,nop,nop,sackOK> (DF)
    > 15:22:27.286723 pallit.lhi.is.mysql > 60.48.15.154.3591: S
    > 3762493586:3762493586(0) ack 1280677002 win 5840 <mss
    > 1460,nop,nop,sackOK> (DF)
    >
    >


  • Next message: W. Guhan Iyer: "Re: mysql attack"