|
Mysql Server ...virus Attack Found !
mY LINUX BOX fedora 3 and suse are subject to cracker attack,break in !!
it is mysql ????#$%server ?#$% intrude virus .. i did not rooted !!!i have 4 firewall set ??still...i got his IP address :cry: he must be very pro so that break 4 firewall router in my linux box.... mysql can be a virus ???? |
Exactly what is your question here? You can very easily be rooted if you don't follow proper security procedures and keep up to date with patches (and there have been some past security problems with MySQL). Also remember if you are allowing services through your firewalls, the firewalls can do nothing to protect against attacks on those services (not true if you have an application layer firewall, but most people don't).
Anyhow, if you can put together a legible question, I'd advise asking it to the friendly folks in the security forum. Unfortunately, crackers and malware is a fact of life regardless of OS. |
I have both hardware firewall and software firewall and anti-hacker router !!!
4 ++ of them !!! and i never open so many port to outside world !!! only port 80 for website 8000 for shoutcast server and i never install mysql too ....... and not networked with others LAN ..... i saw "mysql intruder .....server ....something in my CLI !!and his IP address . my linux all were patched,updated to latest and SELINUX ENABLED !!! this is must be very important issues for any linux user ! :Pengy: |
If MySQL wasn't running there's no way anyone could've used it to break in. Then again an attacker who broke in through some other mechanism, could've installed and started MySQL. What exactly did you see that led you to think you were compromised? Given your set-up, the most likely point of entry may be the Web server. What version of Apache werew you runnung?
|
Quote:
I would have expected kinda this stuff: Code:
May 14 17:58:14 soviet kernel: IN=ippp0 OUT= MAC= SRC=81.203.240.204 DST=80.102.16.153 LEN=48 TOS=0x00 REC=0x00 TTL=118 ID=20727 DF PROTO=TCP SPT=2502 DPT=5554 WINDOW=65535 RES=0x00 SYN URGP=0Perhaps if you are running some IDS or the like it caught a hit from an 3V331 source and thought it was an intrusion attempt. The only worm known to use these ports (80) would have been a variant of the Santy family, but as long as you do not use phpBB I wouldn'd be concerned either. Quote:
|
mysql intruder script attack ??
SORRY guys,
but i did not catch my eyes that what the cli exactly said !! It is happening so quickly,i have nothing to do but just close the INTERNET gateway !!!! my anti-hacker,anti-ddos attack ROUTER has detected this attack attempt too. so why did i know it is a attack attempt ??because my mouse cursor move crazily out of my control and cli keeps printing technical messages ......#%$???cpu uses 100% resources.....mem full ....@#$it just ain't nature .!! p.s:and remember i've installed clamscan utility as well !! and his ip address 66.211. ????? please provide assistance ? :cry: :cry: :confused: |
Re: mysql intruder script attack ??
Quote:
What you have do do is searching for the hour of the attack and look for weird messages. As you say you have the suspect's IP use this: [code] cat /var/log/messages | grep IP_OF_THE_HAX0R You have been talking about a router, I suscpet it's one of those DSL routers. They are sometimes prone to atacks, but I can't stat how this could appear on a 'CLI' and why you have an xterm open, and furthermore how your router logs the STDERR to a console on your main box. Please describe: * What do you understand under CLI: Is it a plain-text terminal or xterm on your computer, a display on your router or a pop-window in KDE / Gnome? * How does it come that you are watching the router through a terminal? For a first approach I would suggest usin chkrootkit in order to check if there is any known r00t-kit installed. From a 'CLI' type, as root: Code:
chkrootkit |
Re: mysql intruder script attack ??
Quote:
What you have do do is searching for the hour of the attack and look for weird messages. As you say you have the suspect's IP use this: Code:
cat /var/log/messages | grep IP_OF_THE_HAX0RYou have been talking about a router, I suspect it's one of those DSL routers. They are sometimes prone to atacks, but I can't stat how this could appear on a 'CLI' and why you have an xterm open, and furthermore how your router logs the STDERR to a console on your main box. Please describe: * What do you understand under CLI: Is it a plain-text terminal or xterm on your computer, a display on your router or a pop-window in KDE / Gnome? * How does it come that you are watching the router through a terminal? For a first approach I would suggest using chkrootkit in order to check if there is any known r00t-kit installed. From a 'CLI' type, as root: Code:
chkrootkit |
My question would be.. what is a "anti-hacker" router? :confused:
After reading this whole thread and every reply you make my-unix-dream, you've provided no helpful information to know what your setup is, how its configured and anything remotely that could be used like snippets from logs or exact error messages your seeing or logging, etc. You've provided no version info on the apps used on this server, like apache or mysql? And don't think just cause you have 4 routers or firewalls in place is going to protect a system connected to the world. You have two ports opened up to the world which is two anyone could use to exploit your server. Do you actually use mysql for your webserver? Are all your packages up to date without any known security vulnerabilities? |
my-unix-dream dixit:
Quote:
Either this wacky behavior is a built-in feature of your Anti-Hacker Firewall-router 4++ (perhaps compiled with the -finclude-silly-features flag)... Or you have been infected with the Infamous MySQL-EarthQuake(TM) worm. When this is the case things will get really screwed up soon. This worm is in fact so evil, that it even owns a patent grant on evilness. In a few hours from now, not only will your cursor move crazily, but your whole desktop will start churning until your box and monitor crashes to ground. But tat's not all! This über-evil virus will also subscribe you to *every* pr0n site which exist on the Internet and try to seduce your girlfriend. Be scared, very scared! |
| All times are GMT -5. The time now is 09:38 AM. |