Re: mysql attack

From: Pall Thayer (pall_at_fa.is)
Date: 07/21/05


Date: Thu, 21 Jul 2005 17:21:21 +0000
To: incidents@securityfocus.com

Thanks for the tips everyone, I blocked the machine with iptables.

Pall

W. Guhan Iyer wrote:
> Greetings,
>
> It would help if you could post some of the actual
> packet data using a tool like tcpdump, so the exact
> attack can be identified.
>
> I would suspect they are attempting to exploit a
> vulnerability associated with that verion:
> http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=MySQL_vulnerabilities.html&fact_color=doc&tag=
>
> In the meantime since this traffic is comming from
> only one ip, you can use iptables to block access to
> your mysql port from that ip.
>
> It would also be beneficial to notify the
> administrator/isp responsible for that ip to stop this
> from happening to others.
>
> Good Luck,
> Guhan
>
>
> --- Pall Thayer <pall@fa.is> wrote:
>
>
>>Hi,
>>I don't know much about diagnosing attacks but am
>>just wondering if
>>anyone has noticed something similar to what I'm
>>seeing. For the past
>>three days, a computer with IP number 60.48.15.154
>>has been bombarding
>>my mysql server with connection attempts. None
>>appear to be successful.
>>I guess it's a brute force attempt but they're
>>coming really fast and
>>from various different ports on the other side.
>>Really strange.
>>
>>best r.
>>Pall Thayer
>>
>>I'm running Redhat 8 with mysql server 3.23.58. The
>>mysql port is open
>>to the outside world for several reasons. I know
>>this is a bit of a
>>no-no but that's just the way it is. I'm not really
>>very worried about
>>these attacks being successful. The server is very
>>secure as far as
>>passwords and limited users and services go but i'm
>>curious as to what
>>is going on and why they're targeting me.
>>
>>Here's a tcpdump of the traffic on the mysql port:
>>
>>15:22:18.297149 pallit.lhi.is.mysql >
>>60.48.15.154.2427: S
>>3702188471:3702188471(0) ack 1223419901 win 5840
>><mss
>>1460,nop,nop,sackOK> (DF)
>>15:22:18.297532 60.48.15.154.2253 >
>>pallit.lhi.is.mysql: . ack 118 win
>>65419 (DF)
>>15:22:18.726717 60.48.15.154.2427 >
>>pallit.lhi.is.mysql: . ack 1 win
>>65535 (DF)
>>15:22:18.727164 pallit.lhi.is.mysql >
>>60.48.15.154.2427: P 1:45(44) ack
>>1 win 5840 (DF) [tos 0x8]
>>15:22:19.155084 60.48.15.154.2427 >
>>pallit.lhi.is.mysql: P 1:24(23) ack
>>45 win 65491 (DF)
>>15:22:19.155195 pallit.lhi.is.mysql >
>>60.48.15.154.2427: . ack 24 win
>>5840 (DF) [tos 0x8]
>>15:22:19.155268 pallit.lhi.is.mysql >
>>60.48.15.154.2427: P 45:117(72)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:19.155281 pallit.lhi.is.mysql >
>>60.48.15.154.2427: F 117:117(0)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:19.583862 60.48.15.154.2427 >
>>pallit.lhi.is.mysql: . ack 45 win
>>65491 <nop,nop,sack sack 1 {117:118} > (DF)
>>15:22:19.584269 60.48.15.154.2427 >
>>pallit.lhi.is.mysql: . ack 118 win
>>65419 (DF)
>>15:22:19.585087 60.48.15.154.2427 >
>>pallit.lhi.is.mysql: F 24:24(0) ack
>>118 win 65419 (DF)
>>15:22:19.585106 pallit.lhi.is.mysql >
>>60.48.15.154.2427: . ack 25 win
>>5840 (DF)
>>15:22:19.585496 60.48.15.154.2587 >
>>pallit.lhi.is.mysql: S
>>1231026484:1231026484(0) win 65535 <mss
>>4034,nop,nop,sackOK> (DF)
>>15:22:19.585520 pallit.lhi.is.mysql >
>>60.48.15.154.2587: S
>>3754800534:3754800534(0) ack 1231026485 win 5840
>><mss
>>1460,nop,nop,sackOK> (DF)
>>15:22:20.011001 60.48.15.154.2587 >
>>pallit.lhi.is.mysql: . ack 1 win
>>65535 (DF)
>>15:22:20.011445 pallit.lhi.is.mysql >
>>60.48.15.154.2587: P 1:45(44) ack
>>1 win 5840 (DF) [tos 0x8]
>>15:22:20.437733 60.48.15.154.2587 >
>>pallit.lhi.is.mysql: P 1:24(23) ack
>>45 win 65491 (DF)
>>15:22:20.437840 pallit.lhi.is.mysql >
>>60.48.15.154.2587: . ack 24 win
>>5840 (DF) [tos 0x8]
>>15:22:20.437909 pallit.lhi.is.mysql >
>>60.48.15.154.2587: P 45:117(72)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:20.437923 pallit.lhi.is.mysql >
>>60.48.15.154.2587: F 117:117(0)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:20.866508 60.48.15.154.2587 >
>>pallit.lhi.is.mysql: F 24:24(0) ack
>>117 win 65419 (DF)
>>15:22:20.866537 pallit.lhi.is.mysql >
>>60.48.15.154.2587: . ack 25 win
>>5840 (DF) [tos 0x8]
>>15:22:20.867327 60.48.15.154.2753 >
>>pallit.lhi.is.mysql: S
>>1239344205:1239344205(0) win 65535 <mss
>>4034,nop,nop,sackOK> (DF)
>>15:22:20.867350 pallit.lhi.is.mysql >
>>60.48.15.154.2753: S
>>3750552724:3750552724(0) ack 1239344206 win 5840
>><mss
>>1460,nop,nop,sackOK> (DF)
>>15:22:20.867735 60.48.15.154.2587 >
>>pallit.lhi.is.mysql: . ack 118 win
>>65419 (DF)
>>15:22:21.293241 60.48.15.154.2753 >
>>pallit.lhi.is.mysql: . ack 1 win
>>65535 (DF)
>>15:22:21.296430 pallit.lhi.is.mysql >
>>60.48.15.154.2753: P 1:45(44) ack
>>1 win 5840 (DF) [tos 0x8]
>>15:22:21.722424 60.48.15.154.2753 >
>>pallit.lhi.is.mysql: P 1:24(23) ack
>>45 win 65491 (DF)
>>15:22:21.722536 pallit.lhi.is.mysql >
>>60.48.15.154.2753: . ack 24 win
>>5840 (DF) [tos 0x8]
>>15:22:21.722596 pallit.lhi.is.mysql >
>>60.48.15.154.2753: P 45:117(72)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:21.722608 pallit.lhi.is.mysql >
>>60.48.15.154.2753: F 117:117(0)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:22.149566 60.48.15.154.2753 >
>>pallit.lhi.is.mysql: F 24:24(0) ack
>>117 win 65419 (DF)
>>15:22:22.149592 pallit.lhi.is.mysql >
>>60.48.15.154.2753: . ack 25 win
>>5840 (DF) [tos 0x8]
>>15:22:22.150383 60.48.15.154.2916 >
>>pallit.lhi.is.mysql: S
>>1247383525:1247383525(0) win 65535 <mss
>>4034,nop,nop,sackOK> (DF)
>>15:22:22.150405 pallit.lhi.is.mysql >
>>60.48.15.154.2916: S
>>3758586043:3758586043(0) ack 1247383526 win 5840
>><mss
>>1460,nop,nop,sackOK> (DF)
>>15:22:22.150792 60.48.15.154.2753 >
>>pallit.lhi.is.mysql: . ack 117 win
>>65419 (DF)
>>15:22:22.151609 60.48.15.154.2753 >
>>pallit.lhi.is.mysql: . ack 118 win
>>65419 (DF)
>>15:22:22.575890 60.48.15.154.2916 >
>>pallit.lhi.is.mysql: . ack 1 win
>>65535 (DF)
>>15:22:22.577559 pallit.lhi.is.mysql >
>>60.48.15.154.2916: P 1:45(44) ack
>>1 win 5840 (DF) [tos 0x8]
>>15:22:23.004256 60.48.15.154.2916 >
>>pallit.lhi.is.mysql: P 1:24(23) ack
>>45 win 65491 (DF)
>>15:22:23.008453 pallit.lhi.is.mysql >
>>60.48.15.154.2916: . ack 24 win
>>5840 (DF) [tos 0x8]
>>15:22:23.008531 pallit.lhi.is.mysql >
>>60.48.15.154.2916: P 45:117(72)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:23.008546 pallit.lhi.is.mysql >
>>60.48.15.154.2916: F 117:117(0)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:23.435485 60.48.15.154.2916 >
>>pallit.lhi.is.mysql: F 24:24(0) ack
>>117 win 65419 (DF)
>>15:22:23.435518 pallit.lhi.is.mysql >
>>60.48.15.154.2916: . ack 25 win
>>5840 (DF) [tos 0x8]
>>15:22:23.435893 60.48.15.154.3085 >
>>pallit.lhi.is.mysql: S
>>1255911271:1255911271(0) win 65535 <mss
>>4034,nop,nop,sackOK> (DF)
>>15:22:23.435918 pallit.lhi.is.mysql >
>>60.48.15.154.3085: S
>>3759630820:3759630820(0) ack 1255911272 win 5840
>><mss
>>1460,nop,nop,sackOK> (DF)
>>15:22:23.437119 60.48.15.154.2916 >
>>pallit.lhi.is.mysql: . ack 118 win
>>65419 (DF)
>>15:22:23.861399 60.48.15.154.3085 >
>>pallit.lhi.is.mysql: . ack 1 win
>>65535 (DF)
>>15:22:23.861850 pallit.lhi.is.mysql >
>>60.48.15.154.3085: P 1:45(44) ack
>>1 win 5840 (DF) [tos 0x8]
>>15:22:24.288949 60.48.15.154.3085 >
>>pallit.lhi.is.mysql: P 1:24(23) ack
>>45 win 65491 (DF)
>>15:22:24.289044 pallit.lhi.is.mysql >
>>60.48.15.154.3085: . ack 24 win
>>5840 (DF) [tos 0x8]
>>15:22:24.289103 pallit.lhi.is.mysql >
>>60.48.15.154.3085: P 45:117(72)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:24.289118 pallit.lhi.is.mysql >
>>60.48.15.154.3085: F 117:117(0)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:24.715681 60.48.15.154.3085 >
>>pallit.lhi.is.mysql: F 24:24(0) ack
>>117 win 65419 (DF)
>>15:22:24.715710 pallit.lhi.is.mysql >
>>60.48.15.154.3085: . ack 25 win
>>5840 (DF) [tos 0x8]
>>15:22:24.716497 60.48.15.154.3249 >
>>pallit.lhi.is.mysql: S
>>1263954421:1263954421(0) win 65535 <mss
>>4034,nop,nop,sackOK> (DF)
>>15:22:24.716526 pallit.lhi.is.mysql >
>>60.48.15.154.3249: S
>>3752740473:3752740473(0) ack 1263954422 win 5840
>><mss
>>1460,nop,nop,sackOK> (DF)
>>15:22:24.716906 60.48.15.154.3085 >
>>pallit.lhi.is.mysql: . ack 118 win
>>65419 (DF)
>>15:22:25.143231 60.48.15.154.3249 >
>>pallit.lhi.is.mysql: . ack 1 win
>>65535 (DF)
>>15:22:25.143963 pallit.lhi.is.mysql >
>>60.48.15.154.3249: P 1:45(44) ack
>>1 win 5840 (DF) [tos 0x8]
>>15:22:25.569966 60.48.15.154.3249 >
>>pallit.lhi.is.mysql: P 1:24(23) ack
>>45 win 65491 (DF)
>>15:22:25.570068 pallit.lhi.is.mysql >
>>60.48.15.154.3249: . ack 24 win
>>5840 (DF) [tos 0x8]
>>15:22:25.570146 pallit.lhi.is.mysql >
>>60.48.15.154.3249: P 45:117(72)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:25.570159 pallit.lhi.is.mysql >
>>60.48.15.154.3249: F 117:117(0)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:25.999147 60.48.15.154.3249 >
>>pallit.lhi.is.mysql: F 24:24(0) ack
>>117 win 65419 (DF)
>>15:22:25.999173 pallit.lhi.is.mysql >
>>60.48.15.154.3249: . ack 25 win
>>5840 (DF) [tos 0x8]
>>15:22:25.999963 60.48.15.154.3249 >
>>pallit.lhi.is.mysql: . ack 118 win
>>65419 (DF)
>>15:22:26.000372 60.48.15.154.3425 >
>>pallit.lhi.is.mysql: S
>>1272492900:1272492900(0) win 65535 <mss
>>4034,nop,nop,sackOK> (DF)
>>15:22:26.000395 pallit.lhi.is.mysql >
>>60.48.15.154.3425: S
>>3708372058:3708372058(0) ack 1272492901 win 5840
>><mss
>>1460,nop,nop,sackOK> (DF)
>>15:22:26.430784 60.48.15.154.3425 >
>>pallit.lhi.is.mysql: . ack 1 win
>>65535 (DF)
>>15:22:26.431572 pallit.lhi.is.mysql >
>>60.48.15.154.3425: P 1:45(44) ack
>>1 win 5840 (DF) [tos 0x8]
>>15:22:26.857516 60.48.15.154.3425 >
>>pallit.lhi.is.mysql: P 1:24(23) ack
>>45 win 65491 (DF)
>>15:22:26.859179 pallit.lhi.is.mysql >
>>60.48.15.154.3425: . ack 24 win
>>5840 (DF) [tos 0x8]
>>15:22:26.859295 pallit.lhi.is.mysql >
>>60.48.15.154.3425: P 45:117(72)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:26.859307 pallit.lhi.is.mysql >
>>60.48.15.154.3425: F 117:117(0)
>>ack 24 win 5840 (DF) [tos 0x8]
>>15:22:27.285883 60.48.15.154.3425 >
>>pallit.lhi.is.mysql: F 24:24(0) ack
>>117 win 65419 (DF)
>>15:22:27.285908 pallit.lhi.is.mysql >
>>60.48.15.154.3425: . ack 25 win
>>5840 (DF) [tos 0x8]
>>15:22:27.286291 60.48.15.154.3425 >
>>pallit.lhi.is.mysql: . ack 118 win
>>65419 (DF)
>>15:22:27.286699 60.48.15.154.3591 >
>>pallit.lhi.is.mysql: S
>>1280677001:1280677001(0) win 65535 <mss
>>4034,nop,nop,sackOK> (DF)
>>15:22:27.286723 pallit.lhi.is.mysql >
>>60.48.15.154.3591: S
>>3762493586:3762493586(0) ack 1280677002 win 5840
>><mss
>>1460,nop,nop,sackOK> (DF)
>>
>>
>
>
>
>
>
> ____________________________________________________
> Start your day with Yahoo! - make it your home page
> http://www.yahoo.com/r/hs
>
>