LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 05-13-2005, 11:20 PM   #1
my-unix-dream
Member
 
Registered: Jun 2004
Distribution: live cd
Posts: 87

Rep: Reputation: 15
Unhappy Mysql Server ...virus Attack Found !


mY LINUX BOX fedora 3 and suse are subject to cracker attack,break in !!

it is mysql ????#$%server ?#$% intrude virus ..

i did not rooted !!!i have 4 firewall set ??still...i got his IP address

he must be very pro so that break 4 firewall router in my linux box....

mysql can be a virus ????
 
Old 05-14-2005, 12:28 AM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,060

Rep: Reputation: 295Reputation: 295Reputation: 295
Exactly what is your question here? You can very easily be rooted if you don't follow proper security procedures and keep up to date with patches (and there have been some past security problems with MySQL). Also remember if you are allowing services through your firewalls, the firewalls can do nothing to protect against attacks on those services (not true if you have an application layer firewall, but most people don't).

Anyhow, if you can put together a legible question, I'd advise asking it to the friendly folks in the security forum. Unfortunately, crackers and malware is a fact of life regardless of OS.
 
Old 05-14-2005, 11:34 AM   #3
my-unix-dream
Member
 
Registered: Jun 2004
Distribution: live cd
Posts: 87

Original Poster
Rep: Reputation: 15
Unhappy

I have both hardware firewall and software firewall and anti-hacker router !!!

4 ++ of them !!!

and i never open so many port to outside world !!!

only port 80 for website

8000 for shoutcast server

and i never install mysql too .......

and not networked with others LAN .....

i saw "mysql intruder .....server ....something in my CLI !!and his IP address .
my linux all were patched,updated to latest and SELINUX ENABLED !!!


this is must be very important issues for any linux user !

 
Old 05-14-2005, 12:24 PM   #4
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,060

Rep: Reputation: 295Reputation: 295Reputation: 295
If MySQL wasn't running there's no way anyone could've used it to break in. Then again an attacker who broke in through some other mechanism, could've installed and started MySQL. What exactly did you see that led you to think you were compromised? Given your set-up, the most likely point of entry may be the Web server. What version of Apache werew you runnung?
 
Old 05-14-2005, 01:01 PM   #5
runlevel0
Member
 
Registered: Mar 2005
Location: Hilversum/Holland
Distribution: Debian GNU/Linux 5.0 (“Lenny”)
Posts: 290

Rep: Reputation: 31
Quote:
Originally posted by my-unix-dream
I have both hardware firewall and software firewall and anti-hacker router !!!
i saw "mysql intruder .....server ....something in my CLI !!and his IP address .
my linux all were patched,updated to latest and SELINUX ENABLED !!!
What kind of software is this which gives you this kind of warnings?
I would have expected kinda this stuff:
Code:
May 14 17:58:14 soviet kernel: IN=ippp0 OUT= MAC= SRC=81.203.240.204 DST=80.102.16.153 LEN=48 TOS=0x00 REC=0x00 TTL=118 ID=20727 DF PROTO=TCP SPT=2502 DPT=5554 WINDOW=65535 RES=0x00 SYN URGP=0
Which is what *the* Linux firewall, iptables, 'says'.

Perhaps if you are running some IDS or the like it caught a hit from an 3V331 source and thought it was an intrusion attempt.

The only worm known to use these ports (80) would have been a variant of the Santy family, but as long as you do not use phpBB I wouldn'd be concerned either.


Quote:
this is must be very important issues for any linux user !
Sure, it's called false positive and it's frightening the shit out of us right now
 
Old 05-15-2005, 09:12 AM   #6
my-unix-dream
Member
 
Registered: Jun 2004
Distribution: live cd
Posts: 87

Original Poster
Rep: Reputation: 15
Unhappy mysql intruder script attack ??

SORRY guys,

but i did not catch my eyes that what the cli exactly said !! It is happening so quickly,i have nothing to do but just close the INTERNET gateway !!!! my anti-hacker,anti-ddos attack ROUTER has detected this attack attempt too.

so why did i know it is a attack attempt ??because my mouse cursor move crazily out of my control and cli keeps printing technical messages ......#%$???cpu uses 100% resources.....mem full ....@#$it just ain't nature .!! p.s:and remember i've installed clamscan utility as well !!

and his ip address 66.211. ?????

please provide assistance ?

 
Old 05-15-2005, 10:04 AM   #7
runlevel0
Member
 
Registered: Mar 2005
Location: Hilversum/Holland
Distribution: Debian GNU/Linux 5.0 (“Lenny”)
Posts: 290

Rep: Reputation: 31
Re: mysql intruder script attack ??

Quote:
Originally posted by my-unix-dream
SORRY guys,
so why did i know it is a attack attempt ??because my mouse cursor move crazily out of my control and cli keeps printing technical messages ......#%$???cpu uses 100% resources.....mem full ....@#$it just ain't nature .!! p.s:and remember i've installed clamscan utility as well !!
There is a place where you can look for accurate info: /var/log/messages should keep the logs an anything suspecting would be there.

What you have do do is searching for the hour of the attack and look for weird messages. As you say you have the suspect's IP use this:
[code]
cat /var/log/messages | grep IP_OF_THE_HAX0R


You have been talking about a router, I suscpet it's one of those DSL routers.
They are sometimes prone to atacks, but I can't stat how this could appear on a 'CLI' and why you have an xterm open, and furthermore how your router logs the STDERR to a console on your main box.

Please describe:
* What do you understand under CLI: Is it a plain-text terminal or xterm on your computer, a display on your router or a pop-window in KDE / Gnome?

* How does it come that you are watching the router through a terminal?

For a first approach I would suggest usin chkrootkit in order to check if there is any known r00t-kit installed. From a 'CLI' type, as root:

Code:
chkrootkit
 
Old 05-15-2005, 10:07 AM   #8
runlevel0
Member
 
Registered: Mar 2005
Location: Hilversum/Holland
Distribution: Debian GNU/Linux 5.0 (“Lenny”)
Posts: 290

Rep: Reputation: 31
Re: mysql intruder script attack ??

Quote:
Originally posted by my-unix-dream
SORRY guys,
so why did i know it is a attack attempt ??because my mouse cursor move crazily out of my control and cli keeps printing technical messages ......#%$???cpu uses 100% resources.....mem full ....@#$it just ain't nature .!! p.s:and remember i've installed clamscan utility as well !!
There is a place where you can look for accurate info: /var/log/messages should keep the logs an anything suspecting would be there.

What you have do do is searching for the hour of the attack and look for weird messages. As you say you have the suspect's IP use this:
Code:
cat /var/log/messages | grep IP_OF_THE_HAX0R
Once you found it use your favorite text editor and cut and paste the lines related to the attack so we can help you further.

You have been talking about a router, I suspect it's one of those DSL routers.
They are sometimes prone to atacks, but I can't stat how this could appear on a 'CLI' and why you have an xterm open, and furthermore how your router logs the STDERR to a console on your main box.

Please describe:
* What do you understand under CLI: Is it a plain-text terminal or xterm on your computer, a display on your router or a pop-window in KDE / Gnome?

* How does it come that you are watching the router through a terminal?

For a first approach I would suggest using chkrootkit in order to check if there is any known r00t-kit installed. From a 'CLI' type, as root:

Code:
chkrootkit
 
Old 05-15-2005, 10:28 AM   #9
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 197Reputation: 197
My question would be.. what is a "anti-hacker" router?

After reading this whole thread and every reply you make my-unix-dream, you've provided no helpful information to know what your setup is, how its configured and anything remotely that could be used like snippets from logs or exact error messages your seeing or logging, etc.

You've provided no version info on the apps used on this server, like apache or mysql? And don't think just cause you have 4 routers or firewalls in place is going to protect a system connected to the world. You have two ports opened up to the world which is two anyone could use to exploit your server. Do you actually use mysql for your webserver? Are all your packages up to date without any known security vulnerabilities?
 
Old 05-15-2005, 11:35 AM   #10
runlevel0
Member
 
Registered: Mar 2005
Location: Hilversum/Holland
Distribution: Debian GNU/Linux 5.0 (“Lenny”)
Posts: 290

Rep: Reputation: 31
my-unix-dream dixit:
Quote:
so why did i know it is a attack attempt ??because my mouse cursor move crazily out of my control
Well, this reduces the issue to two possibilities:

Either this wacky behavior is a built-in feature of your Anti-Hacker Firewall-router 4++ (perhaps compiled with the -finclude-silly-features flag)...

Or you have been infected with the Infamous MySQL-EarthQuake(TM) worm. When this is the case things will get really screwed up soon. This worm is in fact so evil, that it even owns a patent grant on evilness.
In a few hours from now, not only will your cursor move crazily, but your whole desktop will start churning until your box and monitor crashes to ground. But tat's not all!
This über-evil virus will also subscribe you to *every* pr0n site which exist on the Internet and try to seduce your girlfriend.

Be scared, very scared!

Last edited by runlevel0; 05-15-2005 at 11:38 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
mysql error Can't connect to local MySQL server through socket '/var/lib/mysql/mysql. Dannux Linux - Software 3 03-24-2006 08:44 AM
virus attack on linux beats24 Linux - Security 1 12-01-2005 09:14 AM
Server under some form of attack English_Man Linux - Security 1 10-30-2005 01:03 PM
server crashing...under attack? sneakyimp Linux - Security 4 10-23-2005 04:37 PM
is this a attack to my web server ohcarol Linux - Security 1 12-29-2004 08:59 AM


All times are GMT -5. The time now is 06:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration