Re: mysql attack

From: W. Guhan Iyer (guhan777_at_yahoo.com)
Date: 07/19/05

  • Next message: Pall Thayer: "Re: mysql attack"
    Date: Tue, 19 Jul 2005 12:26:33 -0700 (PDT)
    To: Pall Thayer <pall@fa.is>, incidents@securityfocus.com
    
    

    Greetings,

    It would help if you could post some of the actual
    packet data using a tool like tcpdump, so the exact
    attack can be identified.

    I would suspect they are attempting to exploit a
    vulnerability associated with that verion:
    http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=MySQL_vulnerabilities.html&fact_color=doc&tag=

    In the meantime since this traffic is comming from
    only one ip, you can use iptables to block access to
    your mysql port from that ip.

    It would also be beneficial to notify the
    administrator/isp responsible for that ip to stop this
    from happening to others.

    Good Luck,
    Guhan

    --- Pall Thayer <pall@fa.is> wrote:

    > Hi,
    > I don't know much about diagnosing attacks but am
    > just wondering if
    > anyone has noticed something similar to what I'm
    > seeing. For the past
    > three days, a computer with IP number 60.48.15.154
    > has been bombarding
    > my mysql server with connection attempts. None
    > appear to be successful.
    > I guess it's a brute force attempt but they're
    > coming really fast and
    > from various different ports on the other side.
    > Really strange.
    >
    > best r.
    > Pall Thayer
    >
    > I'm running Redhat 8 with mysql server 3.23.58. The
    > mysql port is open
    > to the outside world for several reasons. I know
    > this is a bit of a
    > no-no but that's just the way it is. I'm not really
    > very worried about
    > these attacks being successful. The server is very
    > secure as far as
    > passwords and limited users and services go but i'm
    > curious as to what
    > is going on and why they're targeting me.
    >
    > Here's a tcpdump of the traffic on the mysql port:
    >
    > 15:22:18.297149 pallit.lhi.is.mysql >
    > 60.48.15.154.2427: S
    > 3702188471:3702188471(0) ack 1223419901 win 5840
    > <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:18.297532 60.48.15.154.2253 >
    > pallit.lhi.is.mysql: . ack 118 win
    > 65419 (DF)
    > 15:22:18.726717 60.48.15.154.2427 >
    > pallit.lhi.is.mysql: . ack 1 win
    > 65535 (DF)
    > 15:22:18.727164 pallit.lhi.is.mysql >
    > 60.48.15.154.2427: P 1:45(44) ack
    > 1 win 5840 (DF) [tos 0x8]
    > 15:22:19.155084 60.48.15.154.2427 >
    > pallit.lhi.is.mysql: P 1:24(23) ack
    > 45 win 65491 (DF)
    > 15:22:19.155195 pallit.lhi.is.mysql >
    > 60.48.15.154.2427: . ack 24 win
    > 5840 (DF) [tos 0x8]
    > 15:22:19.155268 pallit.lhi.is.mysql >
    > 60.48.15.154.2427: P 45:117(72)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:19.155281 pallit.lhi.is.mysql >
    > 60.48.15.154.2427: F 117:117(0)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:19.583862 60.48.15.154.2427 >
    > pallit.lhi.is.mysql: . ack 45 win
    > 65491 <nop,nop,sack sack 1 {117:118} > (DF)
    > 15:22:19.584269 60.48.15.154.2427 >
    > pallit.lhi.is.mysql: . ack 118 win
    > 65419 (DF)
    > 15:22:19.585087 60.48.15.154.2427 >
    > pallit.lhi.is.mysql: F 24:24(0) ack
    > 118 win 65419 (DF)
    > 15:22:19.585106 pallit.lhi.is.mysql >
    > 60.48.15.154.2427: . ack 25 win
    > 5840 (DF)
    > 15:22:19.585496 60.48.15.154.2587 >
    > pallit.lhi.is.mysql: S
    > 1231026484:1231026484(0) win 65535 <mss
    > 4034,nop,nop,sackOK> (DF)
    > 15:22:19.585520 pallit.lhi.is.mysql >
    > 60.48.15.154.2587: S
    > 3754800534:3754800534(0) ack 1231026485 win 5840
    > <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:20.011001 60.48.15.154.2587 >
    > pallit.lhi.is.mysql: . ack 1 win
    > 65535 (DF)
    > 15:22:20.011445 pallit.lhi.is.mysql >
    > 60.48.15.154.2587: P 1:45(44) ack
    > 1 win 5840 (DF) [tos 0x8]
    > 15:22:20.437733 60.48.15.154.2587 >
    > pallit.lhi.is.mysql: P 1:24(23) ack
    > 45 win 65491 (DF)
    > 15:22:20.437840 pallit.lhi.is.mysql >
    > 60.48.15.154.2587: . ack 24 win
    > 5840 (DF) [tos 0x8]
    > 15:22:20.437909 pallit.lhi.is.mysql >
    > 60.48.15.154.2587: P 45:117(72)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:20.437923 pallit.lhi.is.mysql >
    > 60.48.15.154.2587: F 117:117(0)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:20.866508 60.48.15.154.2587 >
    > pallit.lhi.is.mysql: F 24:24(0) ack
    > 117 win 65419 (DF)
    > 15:22:20.866537 pallit.lhi.is.mysql >
    > 60.48.15.154.2587: . ack 25 win
    > 5840 (DF) [tos 0x8]
    > 15:22:20.867327 60.48.15.154.2753 >
    > pallit.lhi.is.mysql: S
    > 1239344205:1239344205(0) win 65535 <mss
    > 4034,nop,nop,sackOK> (DF)
    > 15:22:20.867350 pallit.lhi.is.mysql >
    > 60.48.15.154.2753: S
    > 3750552724:3750552724(0) ack 1239344206 win 5840
    > <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:20.867735 60.48.15.154.2587 >
    > pallit.lhi.is.mysql: . ack 118 win
    > 65419 (DF)
    > 15:22:21.293241 60.48.15.154.2753 >
    > pallit.lhi.is.mysql: . ack 1 win
    > 65535 (DF)
    > 15:22:21.296430 pallit.lhi.is.mysql >
    > 60.48.15.154.2753: P 1:45(44) ack
    > 1 win 5840 (DF) [tos 0x8]
    > 15:22:21.722424 60.48.15.154.2753 >
    > pallit.lhi.is.mysql: P 1:24(23) ack
    > 45 win 65491 (DF)
    > 15:22:21.722536 pallit.lhi.is.mysql >
    > 60.48.15.154.2753: . ack 24 win
    > 5840 (DF) [tos 0x8]
    > 15:22:21.722596 pallit.lhi.is.mysql >
    > 60.48.15.154.2753: P 45:117(72)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:21.722608 pallit.lhi.is.mysql >
    > 60.48.15.154.2753: F 117:117(0)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:22.149566 60.48.15.154.2753 >
    > pallit.lhi.is.mysql: F 24:24(0) ack
    > 117 win 65419 (DF)
    > 15:22:22.149592 pallit.lhi.is.mysql >
    > 60.48.15.154.2753: . ack 25 win
    > 5840 (DF) [tos 0x8]
    > 15:22:22.150383 60.48.15.154.2916 >
    > pallit.lhi.is.mysql: S
    > 1247383525:1247383525(0) win 65535 <mss
    > 4034,nop,nop,sackOK> (DF)
    > 15:22:22.150405 pallit.lhi.is.mysql >
    > 60.48.15.154.2916: S
    > 3758586043:3758586043(0) ack 1247383526 win 5840
    > <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:22.150792 60.48.15.154.2753 >
    > pallit.lhi.is.mysql: . ack 117 win
    > 65419 (DF)
    > 15:22:22.151609 60.48.15.154.2753 >
    > pallit.lhi.is.mysql: . ack 118 win
    > 65419 (DF)
    > 15:22:22.575890 60.48.15.154.2916 >
    > pallit.lhi.is.mysql: . ack 1 win
    > 65535 (DF)
    > 15:22:22.577559 pallit.lhi.is.mysql >
    > 60.48.15.154.2916: P 1:45(44) ack
    > 1 win 5840 (DF) [tos 0x8]
    > 15:22:23.004256 60.48.15.154.2916 >
    > pallit.lhi.is.mysql: P 1:24(23) ack
    > 45 win 65491 (DF)
    > 15:22:23.008453 pallit.lhi.is.mysql >
    > 60.48.15.154.2916: . ack 24 win
    > 5840 (DF) [tos 0x8]
    > 15:22:23.008531 pallit.lhi.is.mysql >
    > 60.48.15.154.2916: P 45:117(72)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:23.008546 pallit.lhi.is.mysql >
    > 60.48.15.154.2916: F 117:117(0)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:23.435485 60.48.15.154.2916 >
    > pallit.lhi.is.mysql: F 24:24(0) ack
    > 117 win 65419 (DF)
    > 15:22:23.435518 pallit.lhi.is.mysql >
    > 60.48.15.154.2916: . ack 25 win
    > 5840 (DF) [tos 0x8]
    > 15:22:23.435893 60.48.15.154.3085 >
    > pallit.lhi.is.mysql: S
    > 1255911271:1255911271(0) win 65535 <mss
    > 4034,nop,nop,sackOK> (DF)
    > 15:22:23.435918 pallit.lhi.is.mysql >
    > 60.48.15.154.3085: S
    > 3759630820:3759630820(0) ack 1255911272 win 5840
    > <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:23.437119 60.48.15.154.2916 >
    > pallit.lhi.is.mysql: . ack 118 win
    > 65419 (DF)
    > 15:22:23.861399 60.48.15.154.3085 >
    > pallit.lhi.is.mysql: . ack 1 win
    > 65535 (DF)
    > 15:22:23.861850 pallit.lhi.is.mysql >
    > 60.48.15.154.3085: P 1:45(44) ack
    > 1 win 5840 (DF) [tos 0x8]
    > 15:22:24.288949 60.48.15.154.3085 >
    > pallit.lhi.is.mysql: P 1:24(23) ack
    > 45 win 65491 (DF)
    > 15:22:24.289044 pallit.lhi.is.mysql >
    > 60.48.15.154.3085: . ack 24 win
    > 5840 (DF) [tos 0x8]
    > 15:22:24.289103 pallit.lhi.is.mysql >
    > 60.48.15.154.3085: P 45:117(72)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:24.289118 pallit.lhi.is.mysql >
    > 60.48.15.154.3085: F 117:117(0)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:24.715681 60.48.15.154.3085 >
    > pallit.lhi.is.mysql: F 24:24(0) ack
    > 117 win 65419 (DF)
    > 15:22:24.715710 pallit.lhi.is.mysql >
    > 60.48.15.154.3085: . ack 25 win
    > 5840 (DF) [tos 0x8]
    > 15:22:24.716497 60.48.15.154.3249 >
    > pallit.lhi.is.mysql: S
    > 1263954421:1263954421(0) win 65535 <mss
    > 4034,nop,nop,sackOK> (DF)
    > 15:22:24.716526 pallit.lhi.is.mysql >
    > 60.48.15.154.3249: S
    > 3752740473:3752740473(0) ack 1263954422 win 5840
    > <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:24.716906 60.48.15.154.3085 >
    > pallit.lhi.is.mysql: . ack 118 win
    > 65419 (DF)
    > 15:22:25.143231 60.48.15.154.3249 >
    > pallit.lhi.is.mysql: . ack 1 win
    > 65535 (DF)
    > 15:22:25.143963 pallit.lhi.is.mysql >
    > 60.48.15.154.3249: P 1:45(44) ack
    > 1 win 5840 (DF) [tos 0x8]
    > 15:22:25.569966 60.48.15.154.3249 >
    > pallit.lhi.is.mysql: P 1:24(23) ack
    > 45 win 65491 (DF)
    > 15:22:25.570068 pallit.lhi.is.mysql >
    > 60.48.15.154.3249: . ack 24 win
    > 5840 (DF) [tos 0x8]
    > 15:22:25.570146 pallit.lhi.is.mysql >
    > 60.48.15.154.3249: P 45:117(72)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:25.570159 pallit.lhi.is.mysql >
    > 60.48.15.154.3249: F 117:117(0)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:25.999147 60.48.15.154.3249 >
    > pallit.lhi.is.mysql: F 24:24(0) ack
    > 117 win 65419 (DF)
    > 15:22:25.999173 pallit.lhi.is.mysql >
    > 60.48.15.154.3249: . ack 25 win
    > 5840 (DF) [tos 0x8]
    > 15:22:25.999963 60.48.15.154.3249 >
    > pallit.lhi.is.mysql: . ack 118 win
    > 65419 (DF)
    > 15:22:26.000372 60.48.15.154.3425 >
    > pallit.lhi.is.mysql: S
    > 1272492900:1272492900(0) win 65535 <mss
    > 4034,nop,nop,sackOK> (DF)
    > 15:22:26.000395 pallit.lhi.is.mysql >
    > 60.48.15.154.3425: S
    > 3708372058:3708372058(0) ack 1272492901 win 5840
    > <mss
    > 1460,nop,nop,sackOK> (DF)
    > 15:22:26.430784 60.48.15.154.3425 >
    > pallit.lhi.is.mysql: . ack 1 win
    > 65535 (DF)
    > 15:22:26.431572 pallit.lhi.is.mysql >
    > 60.48.15.154.3425: P 1:45(44) ack
    > 1 win 5840 (DF) [tos 0x8]
    > 15:22:26.857516 60.48.15.154.3425 >
    > pallit.lhi.is.mysql: P 1:24(23) ack
    > 45 win 65491 (DF)
    > 15:22:26.859179 pallit.lhi.is.mysql >
    > 60.48.15.154.3425: . ack 24 win
    > 5840 (DF) [tos 0x8]
    > 15:22:26.859295 pallit.lhi.is.mysql >
    > 60.48.15.154.3425: P 45:117(72)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:26.859307 pallit.lhi.is.mysql >
    > 60.48.15.154.3425: F 117:117(0)
    > ack 24 win 5840 (DF) [tos 0x8]
    > 15:22:27.285883 60.48.15.154.3425 >
    > pallit.lhi.is.mysql: F 24:24(0) ack
    > 117 win 65419 (DF)
    > 15:22:27.285908 pallit.lhi.is.mysql >
    > 60.48.15.154.3425: . ack 25 win
    > 5840 (DF) [tos 0x8]
    > 15:22:27.286291 60.48.15.154.3425 >
    > pallit.lhi.is.mysql: . ack 118 win
    > 65419 (DF)
    > 15:22:27.286699 60.48.15.154.3591 >
    > pallit.lhi.is.mysql: S
    > 1280677001:1280677001(0) win 65535 <mss
    > 4034,nop,nop,sackOK> (DF)
    > 15:22:27.286723 pallit.lhi.is.mysql >
    > 60.48.15.154.3591: S
    > 3762493586:3762493586(0) ack 1280677002 win 5840
    > <mss
    > 1460,nop,nop,sackOK> (DF)
    >
    >

                    
    ____________________________________________________
    Start your day with Yahoo! - make it your home page
    http://www.yahoo.com/r/hs
     


  • Next message: Pall Thayer: "Re: mysql attack"