Re: mysterious MySQL-connect
Hi, thanks folks a lot for all hints. Now I found that the connects came indeed from the other.host.name (192.168.0.2), but I didn't find out which user it was. However, I'm no longer sure wether it was was some kind of code injection, as more as I do not know how the guys did it exactly. And yes: Christian may be right as he guessed it wouldn't be a new problem, but I never noticed it before (because of ignoring /var/log/mysql/mysql.err). After all, I'm very interested in answering the following questions: - Is there anybody else out there with the same kind of log messages? - How about a normal connection loss because of capacity reasons, malfuntion of the network interface or something like that? Thanks again and have a good week, Andreas Am Freitag, 24. September 2004 13:13 schrieb Christian Hammers: BTW: You're using backports you said? Please note that I changed the scripts only recently (4.0.20-x) to log to syslog. Before that all messages went to the mostly ignored /var/log/mysql/mysql.err so you probably don't suffer from a new problem but just never noticed it before. -- procommerz - Internet fuer Unternehmen www.procommerz.de | 033925-90710
Re: mysterious MySQL-connect
Hello Andreas, These connections can be from php. One of your customers is maybe trying something... Friday, September 24, 2004, 11:59:38, you wrote: - As the logfile says, the connection attempt came from other.host.name (which is in the 192.168.0.0 network), not from outside. Is this possible without having cracked the other.host.name? -- Best regards, .---..--- / \ __ /--Marek 'Marki' Podmaka / / \( )/- // ' \/ ` --- e-mail: [EMAIL PROTECTED] (preferred) / // :: --- [EMAIL PROTECTED] // / / /`'--ICQ UIN: 42698938 // //..\\ mobile phone: +421 903 259949 UUUU--- '//||\\` Love makes the world go round. (Proverb) ''`` ... Oppenheimov zakon: Caro jedneho okamihu sa neda ziskat za okamih. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mysterious MySQL-connect
Hi Marek, thanks for your quick reply. On the servers in questions are no customers - it's a dedicated system for only one customer. All the web programming an so on is done only by myself (well, I hope so ;-). But, there are some POP accounts and also an smtpd (no ftpd). Can you imagine some kind of code injection in this case? E.g., an HTTP-POST with some nice PHP code inside? Well, the web server logs don't show up something appropriate, but who knows...? And how to find out? Best regards, Andreas Am Freitag, 24. September 2004 12:11 schrieb Marek Podmaka: Hello Andreas, These connections can be from php. One of your customers is maybe trying something... -- procommerz - Internet fuer Unternehmen www.procommerz.de | 033925-90710 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mysterious MySQL-connect
Hi On 2004-09-24 Andreas Vent-Schmidt wrote: On the servers in questions are no customers - it's a dedicated system for only one customer. All the web programming an so on is done only by myself (well, I hope so ;-). But, there are some POP accounts and also an smtpd (no ftpd). Do a tcpdump -i any -n -l -s1500 port 3306 and if you're lucky you see from which port/ip the packets come (if the connect via tcp). Then on this other side see with fuser -n tcp port which user did it. If it's a socket connection you might find at least the userid with netstat -tanp... BTW: You're using backports you said? Please note that I changed the scripts only recently (4.0.20-x) to log to syslog. Before that all messages went to the mostly ignored /var/log/mysql/mysql.err so you probably don't suffer from a new problem but just never noticed it before. bye, -christian- pgpSLQas6VW6d.pgp Description: PGP signature
Re: mysterious MySQL-connect
Hello Andreas, Friday, September 24, 2004, 12:53:44, you wrote: Can you imagine some kind of code injection in this case? E.g., an HTTP-POST with some nice PHP code inside? Well, the web server logs don't show up something appropriate, but who knows...? hmm... are those db connect attempts periodical or just random? If periodical it could be some misconfigured script/program which is run from crontab. But from what you have posted it seems more random. And look at that error - Got timeout reading communication packets. You say there should be no connection to root user from that machine? If it's often maybe you will have a luck with tcpdump as someone else recommended... -- Best regards, .---..--- / \ __ /--Marek 'Marki' Podmaka / / \( )/- // ' \/ ` --- e-mail: [EMAIL PROTECTED] (preferred) / // :: --- [EMAIL PROTECTED] // / / /`'--ICQ UIN: 42698938 // //..\\ mobile phone: +421 903 259949 UUUU--- '//||\\` Love makes the world go round. (Proverb) ''`` ... Hladaj najlepsieho cloveka medzi tymi, ktorych svet odsudzuje. PRISLOVIE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]