<div dir="ltr">Hello,<div>Quick fix would be blocking these ip addresses with iptables.</div><div>Then start post mortem;</div><div>-Is your database server available publicly? Perhaps you should consider closing it and only accepting connections from trusted IP's. If your mysql is accessible then these may not be targeted attacks and just drive-bys and they are going to keep happening</div><div>-Is your FC box up to date with patch fixes available, "yum upgrade"?</div><div><br></div><div>Reaching out to abuse contacts is good practice but often enough its some box that has also been hacked and is being used as a relay. The best they can do is alert the upstream victim.</div><div><br></div><div>Alex</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 12, 2016 at 11:53 AM, Dr Paulos Nyirenda <span dir="ltr"><<a href="mailto:paulos@sdnp.org.mw" target="_blank">paulos@sdnp.org.mw</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
We are seeing an online attack on our server 196.45.188.25 in progress right now, they<br>
are targetting mysql services that we are running in relation to our .mw registry servers.<br>
<br>
Tha attack is being run from the following IP addresses which show as Turkey and Romania<br>
origins as shown in the whois.<br>
<br>
5.254.65.9<br>
212.253.62.5<br>
94.122.154.187<br>
<br>
Any ideas on how to prevent attacks on mysql 5.6 on Fedora 20 installations ?<br>
<br>
I can see what they want to modify but I have problems seeing how they got in or as what.<br>
<br>
I am copying this to the abuse contacts on these networks ... does this really work?<br>
<br>
Regards,<br>
<br>
Paulos<br>
======================<br>
Dr Paulos B Nyirenda<br>
<a href="http://NIC.MW" rel="noreferrer" target="_blank">NIC.MW</a> & .mw ccTLD<br>
<a href="http://www.registrar.mw" rel="noreferrer" target="_blank">http://www.registrar.mw</a><br>
<br>
<br>
<br>
[paulos@domwe ~]$ whois 94.122.154.187<br>
[Querying <a href="http://whois.arin.net" rel="noreferrer" target="_blank">whois.arin.net</a>]<br>
[Redirected to <a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
[Querying <a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
[<a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf" rel="noreferrer" target="_blank">http://www.ripe.net/db/<wbr>support/db-terms-conditions.<wbr>pdf</a><br>
<br>
% Note: this output has been filtered.<br>
% To receive output for a database update, use the "-B" flag.<br>
<br>
% Information related to '94.122.144.0 - 94.122.159.255'<br>
<br>
% Abuse contact for '94.122.144.0 - 94.122.159.255' is '<a href="mailto:netadmins@dsmart.com.tr">netadmins@dsmart.com.tr</a>'<br>
<br>
inetnum: 94.122.144.0 - 94.122.159.255<br>
netname: DOL<br>
remarks: rev-srv: <a href="http://doldns01.dol.com.tr" rel="noreferrer" target="_blank">doldns01.dol.com.tr</a><br>
remarks: rev-srv: <a href="http://doldns02.dol.com.tr" rel="noreferrer" target="_blank">doldns02.dol.com.tr</a><br>
descr: DOL DATACENTER - VAE ADSL DYNAMIC<br>
country: TR<br>
admin-c: DOL22-RIPE<br>
tech-c: DOL22-RIPE<br>
status: ASSIGNED PA<br>
mnt-by: AS12978-MNT<br>
created: 2008-10-14T20:26:59Z<br>
last-modified: 2014-09-15T07:37:47Z<br>
source: RIPE<br>
remarks: rev-srv attribute deprecated by RIPE NCC on 02/09/2009<br>
<br>
role: DOL Network Services<br>
address: 100. Yil Mahallesi Melda Sk.<br>
address: Dogan TV Center, No:1 34204, Bagcilar - Istanbul<br>
phone: +90 212 3737800<br>
fax-no: +90 212 3802491<br>
admin-c: SA163-RIPE<br>
tech-c: EE278-RIPE<br>
nic-hdl: DOL22-RIPE<br>
mnt-by: AS12978-MNT<br>
mnt-by: TDTB-MNT<br>
created: 2003-10-16T09:25:39Z<br>
last-modified: 2016-05-27T16:00:07Z<br>
source: RIPE # Filtered<br>
<br>
% Information related to '<a href="http://94.122.144.0/20AS12978" rel="noreferrer" target="_blank">94.122.144.0/20AS12978</a>'<br>
<br>
route: <a href="http://94.122.144.0/20" rel="noreferrer" target="_blank">94.122.144.0/20</a><br>
descr: DOL<br>
origin: AS12978<br>
mnt-by: AS12978-Mnt<br>
created: 2014-01-24T08:55:37Z<br>
last-modified: 2014-01-24T08:55:37Z<br>
source: RIPE<br>
<br>
% This query was served by the RIPE Database Query Service version 1.87.4 (ANGUS )<br>
<br>
<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$ whois 212.253.62.5<br>
[Querying <a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
[<a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf" rel="noreferrer" target="_blank">http://www.ripe.net/db/<wbr>support/db-terms-conditions.<wbr>pdf</a><br>
<br>
% Note: this output has been filtered.<br>
% To receive output for a database update, use the "-B" flag.<br>
<br>
% Information related to '212.253.56.0 - 212.253.63.255'<br>
<br>
% Abuse contact for '212.253.56.0 - 212.253.63.255' is '<a href="mailto:abuse@superonline.net">abuse@superonline.net</a>'<br>
<br>
inetnum: 212.253.56.0 - 212.253.63.255<br>
netname: SOLNET-3<br>
descr: TR-SOLNET-BB-VAE-ANADOLU<br>
country: TR<br>
admin-c: TNA13-RIPE<br>
tech-c: TNA13-RIPE<br>
status: ASSIGNED PA<br>
remarks: infra-aw<br>
mnt-by: MNT-TELLCOM<br>
created: 2011-04-18T13:49:00Z<br>
last-modified: 2013-12-19T21:17:13Z<br>
source: RIPE # Filtered<br>
<br>
role: Tellcom Network Admins<br>
address: Salih Tozan Sk. Karamancilar Is Mrkz. C Blok No:16 34394<br>
address: Esentepe/Sisli/ISTANBUL TURKEY<br>
phone: +90 850 222 4662<br>
fax-no: +90 850 222 4662<br>
admin-c: TK2426-RIPE<br>
tech-c: TK2426-RIPE<br>
nic-hdl: TNA13-RIPE<br>
remarks: ******************************<wbr>***************<br>
remarks: Please send spam and abuse notification only<br>
remarks: to <a href="mailto:abuse@superonline.net">abuse@superonline.net</a><br>
remarks: ******************************<wbr>***************<br>
abuse-mailbox: <a href="mailto:abuse@superonline.net">abuse@superonline.net</a><br>
mnt-by: MNT-TELLCOM<br>
created: 2007-08-06T06:35:11Z<br>
last-modified: 2016-03-15T09:39:06Z<br>
source: RIPE # Filtered<br>
<br>
% Information related to '<a href="http://212.253.32.0/19AS34984" rel="noreferrer" target="_blank">212.253.32.0/19AS34984</a>'<br>
<br>
route: <a href="http://212.253.32.0/19" rel="noreferrer" target="_blank">212.253.32.0/19</a><br>
descr: Tellcom ADSL<br>
origin: AS34984<br>
mnt-by: MNT-TELLCOM<br>
created: 2009-05-26T08:51:19Z<br>
last-modified: 2016-03-31T12:01:23Z<br>
source: RIPE # Filtered<br>
<br>
% This query was served by the RIPE Database Query Service version 1.87.4 (DB-2)<br>
<br>
<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$ whois 5.254.65.9<br>
[Querying <a href="http://whois.arin.net" rel="noreferrer" target="_blank">whois.arin.net</a>]<br>
[Redirected to <a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
[Querying <a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
[<a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf" rel="noreferrer" target="_blank">http://www.ripe.net/db/<wbr>support/db-terms-conditions.<wbr>pdf</a><br>
<br>
% Note: this output has been filtered.<br>
% To receive output for a database update, use the "-B" flag.<br>
<br>
% Information related to '5.254.64.0 - 5.254.127.255'<br>
<br>
% Abuse contact for '5.254.64.0 - 5.254.127.255' is '<a href="mailto:abuse@globalcitytel.com">abuse@globalcitytel.com</a>'<br>
<br>
inetnum: 5.254.64.0 - 5.254.127.255<br>
netname: Voxility<br>
descr: IPs used by the customers of <a href="http://voxility.com" rel="noreferrer" target="_blank">voxility.com</a><br>
descr: Dimitrie Pompeiu 9-9A, Building 24<br>
descr: Bucharest 020335, Romania<br>
country: RO<br>
admin-c: VOX100-RIPE<br>
tech-c: VOX100-RIPE<br>
status: LIR-PARTITIONED PA<br>
mnt-by: GLOBALCITY-MNT<br>
mnt-lower: GLOBALCITY-MNT<br>
mnt-lower: VOXILITY-MNT<br>
mnt-routes: VOXILITY-MNT<br>
created: 2015-04-29T11:35:35Z<br>
last-modified: 2016-09-06T09:32:58Z<br>
source: RIPE<br>
<br>
person: Voxility NOC<br>
remarks: Team in Charge of Voxility Global IP<br>
remarks: Backbone Management<br>
remarks: Available 24/7 for routing issues and security incidents<br>
org: ORG-SVS8-RIPE<br>
address: Dimitrie Pompeiu 9-9A, Building 24<br>
address: Bucharest 020335, Romania<br>
remarks: <a href="mailto:noc@voxility.com">noc@voxility.com</a><br>
abuse-mailbox: <a href="mailto:abuse@voxility.com">abuse@voxility.com</a><br>
remarks: <a href="tel:%2B1.703-888-5811" value="+17038885811">+1.703-888-5811</a> (US)<br>
remarks: <a href="tel:%2B49.69-957-98952" value="+496995798952">+49.69-957-98952</a> (Germany)<br>
remarks: <a href="tel:%2B44%2020-3355-1458" value="+442033551458">+44 20-3355-1458</a> (UK)<br>
phone: <a href="tel:%2B40212074774" value="+40212074774">+40212074774</a><br>
nic-hdl: VOX100-RIPE<br>
mnt-by: VOXILITY-MNT<br>
created: 2012-08-04T15:50:52Z<br>
last-modified: 2013-10-07T19:48:57Z<br>
source: RIPE # Filtered<br>
<br>
% Information related to '<a href="http://5.254.64.0/20AS3223" rel="noreferrer" target="_blank">5.254.64.0/20AS3223</a>'<br>
<br>
route: <a href="http://5.254.64.0/20" rel="noreferrer" target="_blank">5.254.64.0/20</a><br>
descr: <a href="http://voxility.net" rel="noreferrer" target="_blank">voxility.net</a><br>
origin: AS3223<br>
mnt-by: VOXILITY-MNT<br>
created: 2016-01-20T16:03:15Z<br>
last-modified: 2016-01-20T16:03:15Z<br>
source: RIPE<br>
<br>
% This query was served by the RIPE Database Query Service version 1.87.4 (ANGUS)<br>
<br>
<br>
[paulos@domwe ~]$<br>
------------------------------<wbr>----------------------------<br>
Malawi SDNP Webmail: <a href="http://www.sdnp.org.mw" rel="noreferrer" target="_blank">http://www.sdnp.org.mw</a><br>
Access your Malawi SDNP e-mail from anywhere in the world.<br>
------------------------------<wbr>----------------------------<br>
<br>
<br>
______________________________<wbr>_________________<br>
afnog mailing list<br>
<a href="https://www.afnog.org/mailman/listinfo/afnog" rel="noreferrer" target="_blank">https://www.afnog.org/mailman/<wbr>listinfo/afnog</a><br>
</blockquote></div><br></div>