Re: mysterious MySQL-connect

2004-09-27 Thread Andreas Vent-Schmidt 
Hi,

thanks folks a lot for all hints.

Now I found that the connects came indeed from the other.host.name 
(192.168.0.2), but I didn't find out which user it was.

However, I'm no longer sure wether it was was some kind of code 
injection, as more as I do not know how the guys did it exactly.

And yes: Christian may be right as he guessed it wouldn't be a new 
problem, but I never noticed it before (because of 
ignoring /var/log/mysql/mysql.err).

After all, I'm very interested in answering the following questions:
- Is there anybody else out there with the same kind of log messages?
- How about a normal connection loss because of capacity reasons, 
malfuntion of the network interface or something like that?

Thanks again and have a good week,
Andreas

Am Freitag, 24. September 2004 13:13 schrieb Christian Hammers:

 BTW: You're using backports you said? Please note that I changed the
  scripts only recently (4.0.20-x) to log to syslog. Before that
  all messages went to the mostly ignored /var/log/mysql/mysql.err
  so you probably don't suffer from a new problem but just never
  noticed it before.


-- 
procommerz - Internet fuer Unternehmen
www.procommerz.de | 033925-90710

Re: mysterious MySQL-connect

2004-09-24 Thread Marek Podmaka 
Hello Andreas,

  These connections can be from php. One of your customers is maybe
  trying something...

Friday, September 24, 2004, 11:59:38, you wrote:

 - As the logfile says, the connection attempt came from
 other.host.name (which is in the 192.168.0.0 network), not from
 outside. Is this possible without having cracked the
 other.host.name?


-- 
Best regards,

   .---..---
  / \  __  /--Marek 'Marki' Podmaka
 / / \(  )/-
//   ' \/ `   --- e-mail: [EMAIL PROTECTED] (preferred)
    / // :: ---   [EMAIL PROTECTED]
  // /   /  /`'--ICQ UIN: 42698938
 //  //..\\ mobile phone: +421 903 259949
UUUU---
'//||\\` Love makes the world go round. (Proverb)
  ''``
... Oppenheimov zakon: Caro jedneho okamihu sa neda ziskat za okamih.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: mysterious MySQL-connect

2004-09-24 Thread Andreas Vent-Schmidt 
Hi Marek,

thanks for your quick reply.

On the servers in questions are no customers - it's a dedicated system 
for only one customer. All the web programming an so on is done only by 
myself (well, I hope so ;-). But, there are some POP accounts and also 
an smtpd (no ftpd).

Can you imagine some kind of code injection in this case? E.g., an 
HTTP-POST with some nice PHP code inside? Well, the web server logs 
don't show up something appropriate, but who knows...?

And how to find out?

Best regards,
Andreas

Am Freitag, 24. September 2004 12:11 schrieb Marek Podmaka:
 Hello Andreas,

   These connections can be from php. One of your customers is maybe
   trying something...



-- 
procommerz - Internet fuer Unternehmen
www.procommerz.de | 033925-90710


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: mysterious MySQL-connect

2004-09-24 Thread Christian Hammers 
Hi

On 2004-09-24 Andreas Vent-Schmidt wrote:
 On the servers in questions are no customers - it's a dedicated system 
 for only one customer. All the web programming an so on is done only by 
 myself (well, I hope so ;-). But, there are some POP accounts and also 
 an smtpd (no ftpd).

Do a tcpdump -i any -n -l -s1500 port 3306 and if you're lucky you 
see from which port/ip the packets come (if the connect via tcp).
Then on this other side see with fuser -n tcp port which user did
it. If it's a socket connection you might find at least the userid
with netstat -tanp...

BTW: You're using backports you said? Please note that I changed the
 scripts only recently (4.0.20-x) to log to syslog. Before that
 all messages went to the mostly ignored /var/log/mysql/mysql.err
 so you probably don't suffer from a new problem but just never 
 noticed it before.

bye,

-christian-


pgpSLQas6VW6d.pgp
Description: PGP signature

Re: mysterious MySQL-connect

2004-09-24 Thread Marek Podmaka 
Hello Andreas,

Friday, September 24, 2004, 12:53:44, you wrote:

 Can you imagine some kind of code injection in this case? E.g., an
 HTTP-POST with some nice PHP code inside? Well, the web server logs
 don't show up something appropriate, but who knows...?

  hmm... are those db connect attempts periodical or just random? If
  periodical it could be some misconfigured script/program which is
  run from crontab. But from what you have posted it seems more
  random. And look at that error - Got timeout reading communication
  packets. You say there should be no connection to root user from
  that machine? If it's often maybe you will have a luck with tcpdump
  as someone else recommended...

-- 
Best regards,

   .---..---
  / \  __  /--Marek 'Marki' Podmaka
 / / \(  )/-
//   ' \/ `   --- e-mail: [EMAIL PROTECTED] (preferred)
    / // :: ---   [EMAIL PROTECTED]
  // /   /  /`'--ICQ UIN: 42698938
 //  //..\\ mobile phone: +421 903 259949
UUUU---
'//||\\` Love makes the world go round. (Proverb)
  ''``
... Hladaj najlepsieho cloveka medzi tymi, ktorych svet odsudzuje. PRISLOVIE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]