I've considered that. But there are no indications that is the case, I sniff traffic to that box from my firewall (that could be compromised too of course) and I see nothing suspicious. The only traffic on that box is on the mysql port.
Since I see this traffic on the mysql port when the server is running I must assume that it is mysqld who owns the port. I am currently investigating the other comments that I have received. Regards, Gary "SuperID" Huntress ======================================================= FreeSQL.org offering free database hosting to developers Visit http://www.freesql.org ----- Original Message ----- From: "GERST, MICHAEL (SBCSI)" <[EMAIL PROTECTED]> To: "'Gary Huntress'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, March 27, 2003 4:44 PM Subject: RE: Confused about network traffic on mysql port > Somebody got control of mysql, or your rooted? > > -----Original Message----- > From: Gary Huntress [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 27, 2003 1:29 PM > To: [EMAIL PROTECTED] > Subject: Confused about network traffic on mysql port > > I have noticed on many occasions some extensive traffic on my internal > network that I cannot explain. Below you will see two sets of tcpdump > traces. I have a mysql server running on my internal host named > "herzegbol" and a windows 98 host named shelbyville > > This trace is when the MySQL server is running: > 14:33:45.886159 eth1 > herzegbol.mysql > shelbyville.2333: S > 700834979:700834979(0) ack 2360059956 win 5792 <ms > s 1460,sackOK,timestamp 420171046 7876889,nop,wscale 0> (DF) > 14:33:46.156126 eth1 > herzegbol.mysql > shelbyville.2311: S > 703613196:703613196(0) ack 1969309172 win 5792 <ms > s 1460,sackOK,timestamp 420171073 7876916,nop,wscale 0> (DF) > 14:33:47.010646 eth1 > herzegbol.mysql > shelbyville.2345: S > 697677373:697677373(0) ack 2546308254 win 5792 <ms > s 1460,sackOK,timestamp 420171158 7877001,nop,wscale 0> (DF) > 14:33:47.246107 eth1 > herzegbol.mysql > shelbyville.2304: S > 705352284:705352284(0) ack 1841862906 win 5792 <ms > s 1460,sackOK,timestamp 420171182 7877025,nop,wscale 0> (DF) > > This trace is after I issue mysqladmin shutdown: > 14:32:09.886091 eth1 > herzegbol.mysql > shelbyville.2333: R 0:0(0) ack > 2360059956 win 0 (DF) > 14:32:15.626067 eth1 > herzegbol.mysql > shelbyville.2334: R 0:0(0) ack > 2356113189 win 0 (DF) > 14:32:17.586063 eth1 > herzegbol.mysql > shelbyville.2308: R 0:0(0) ack > 1867829359 win 0 (DF) > 14:32:20.696068 eth1 > herzegbol.mysql > shelbyville.2321: R 0:0(0) ack > 2130321013 win 0 (DF) > 14:32:25.566094 eth1 > herzegbol.mysql > shelbyville.2324: R 0:0(0) ack > 2251852705 win 0 (DF) > 14:32:30.066104 eth1 > herzegbol.mysql > shelbyville.2325: R 0:0(0) ack > 2264947201 win 0 (DF) > > The reason this is confusing to me is that the traffic originates on the > mysql server "herzegbol" via the mysql port and the destination is the > windows box on dozens of ports and there is no program or process on the > windows machine that is connected to the database server. As far as I can > tell there is absolutely no reason for Herzegbol to talk to shelbyville, yet > this traffic will pop up almost every day for a period of time and swamp my > network. I would like to identify the source and understand the cause. > > Regards, > Gary "SuperID" Huntress > ======================================================= > FreeSQL.org offering free database hosting to developers > Visit http://www.freesql.org > > > > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
