Possible attacks?

noob__ · 01-11-2016, 01:40 AM

I have these lines every day on my dmz logs(with different SRC ips and different rates 20-30 per day)

Code:

Jan 11 06:50:28 hostname kernel: [1890275.573817] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=115.231.232.196 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=111 ID=256 PROTO=TCP SPT=61817 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
Jan 11 07:11:28 hostname kernel: [1891536.190667] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=115.231.232.196 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=111 ID=256 PROTO=TCP SPT=48647 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
Jan 11 08:20:35 hostname kernel: [1895687.074526] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=23.251.47.12 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=118 ID=256 PROTO=TCP SPT=21001 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
Jan 11 08:41:49 hostname kernel: [1896961.769624] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=180.97.215.57 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=102 ID=256 PROTO=TCP SPT=6000 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
Jan 11 08:58:16 hostname kernel: [1897949.369162] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=61.160.215.16 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=103 ID=256 PROTO=TCP SPT=6000 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
Jan 11 09:20:01 hostname kernel: [1899255.303235] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=61.160.23.222 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=103 ID=256 PROTO=TCP SPT=6000 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
Jan 11 09:21:06 hostname kernel: [1899321.112924] IN=eth0 OUT= MAC=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd SRC=61.160.215.16 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=103 ID=256 PROTO=TCP SPT=6000 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0

Are these attacks?

dh2k · 01-11-2016, 03:07 AM

Welcome to internetz !!!
and our Chinese friends [sic].

use whois
fail2ban
iptables
and some background reading in creating some white and blacklists.

Habitual · 01-11-2016, 06:30 AM

Every single entry that is shown is a China IP (SRC=) trying to gain access to MySQL (DPT=3306)

Sure hope you don't have a wildcard placeholder for host for any user with privileges
eg:

Code:

grant ALL to dev_wants_root@'%' identified by 'weak_ass_password'

And this wildcard host should NEVER be allowed for mysql_root.
Modern installations of mysql force run the security/hardening script.
It removes % for mysql_root, I believe and sets passwords for accounts that don't have one.

Other accounts you'll have to manually inspect with

Code:

mysql -uroot -p -e "use mysql; select user,host from user where host = '%';"

Good Luck.

dh2k · 01-11-2016, 09:42 AM

may also be worth checking, in /var/log/ , your:
auth.log
syslog.log
message.log

dh2k · 01-11-2016, 09:51 AM

Unit 61398? maybe, maybe not. Either way do u have reasons for that block of IPv4 address to be reaching your server? If not then blacklist them (country) and other 'black' IP neighbour hoods.

noob__ · 01-11-2016, 10:09 AM

Thx guys, i don't have any wildcard placeholder.

Quote:

Originally Posted by dh2k

Unit 61398? maybe, maybe not. Either way do u have reasons for that block of IPv4 address to be reaching your server? If not then blacklist them (country) and other 'black' IP neighbour hoods.

No, I will ban some blocks of ip.

Habitual · 01-11-2016, 11:38 AM

Glad to be of help.