<p dir="ltr">Poule Paulos,</p>
<p dir="ltr">Apart from your web server, whois  server, EPP port and DNS slaves, for a registry, nothing else should be public facing. Move your SQL server behind a DMZ asap. Only neonates attack from their own systems, they are probably using a compromised host.</p>
<p dir="ltr">Go offline and fix your firewall and filters before they lock you out.</p>
<p dir="ltr">Good luck.</p>
<p dir="ltr">Sunday.</p>
<div class="gmail_extra"><br><div class="gmail_quote">On Sep 12, 2016 2:51 AM, "Dr Paulos Nyirenda" <<a href="mailto:paulos@sdnp.org.mw" target="_blank">paulos@sdnp.org.mw</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
We are seeing an online attack on our server 196.45.188.25 in progress right now, they<br>
are targetting mysql services that we are running in relation to our .mw registry servers.<br>
<br>
Tha attack is being run from the following IP addresses which show as Turkey and Romania<br>
origins as shown in the whois.<br>
<br>
5.254.65.9<br>
212.253.62.5<br>
94.122.154.187<br>
<br>
Any ideas on how to prevent attacks on mysql 5.6 on Fedora 20 installations ?<br>
<br>
I can see what they want to modify but I have problems seeing how they got in or as what.<br>
<br>
I am copying this to the abuse contacts on these networks ... does this really work?<br>
<br>
Regards,<br>
<br>
Paulos<br>
======================<br>
Dr Paulos B Nyirenda<br>
<a href="http://NIC.MW" rel="noreferrer" target="_blank">NIC.MW</a> & .mw ccTLD<br>
<a href="http://www.registrar.mw" rel="noreferrer" target="_blank">http://www.registrar.mw</a><br>
<br>
<br>
<br>
[paulos@domwe ~]$ whois 94.122.154.187<br>
[Querying <a href="http://whois.arin.net" rel="noreferrer" target="_blank">whois.arin.net</a>]<br>
[Redirected to <a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
[Querying <a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
[<a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf" rel="noreferrer" target="_blank">http://www.ripe.net/db/<wbr>support/db-terms-conditions.<wbr>pdf</a><br>
<br>
% Note: this output has been filtered.<br>
%       To receive output for a database update, use the "-B" flag.<br>
<br>
% Information related to '94.122.144.0 - 94.122.159.255'<br>
<br>
% Abuse contact for '94.122.144.0 - 94.122.159.255' is '<a href="mailto:netadmins@dsmart.com.tr">netadmins@dsmart.com.tr</a>'<br>
<br>
inetnum:        94.122.144.0 - 94.122.159.255<br>
netname:        DOL<br>
remarks:        rev-srv: <a href="http://doldns01.dol.com.tr" rel="noreferrer" target="_blank">doldns01.dol.com.tr</a><br>
remarks:        rev-srv: <a href="http://doldns02.dol.com.tr" rel="noreferrer" target="_blank">doldns02.dol.com.tr</a><br>
descr:          DOL DATACENTER - VAE ADSL DYNAMIC<br>
country:        TR<br>
admin-c:        DOL22-RIPE<br>
tech-c:         DOL22-RIPE<br>
status:         ASSIGNED PA<br>
mnt-by:         AS12978-MNT<br>
created:        2008-10-14T20:26:59Z<br>
last-modified:  2014-09-15T07:37:47Z<br>
source:         RIPE<br>
remarks:        rev-srv attribute deprecated by RIPE NCC on 02/09/2009<br>
<br>
role:           DOL Network Services<br>
address:        100. Yil Mahallesi Melda Sk.<br>
address:        Dogan TV Center, No:1 34204, Bagcilar - Istanbul<br>
phone:          +90 212 3737800<br>
fax-no:         +90 212 3802491<br>
admin-c:        SA163-RIPE<br>
tech-c:         EE278-RIPE<br>
nic-hdl:        DOL22-RIPE<br>
mnt-by:         AS12978-MNT<br>
mnt-by:         TDTB-MNT<br>
created:        2003-10-16T09:25:39Z<br>
last-modified:  2016-05-27T16:00:07Z<br>
source:         RIPE # Filtered<br>
<br>
% Information related to '<a href="http://94.122.144.0/20AS12978" rel="noreferrer" target="_blank">94.122.144.0/20AS12978</a>'<br>
<br>
route:          <a href="http://94.122.144.0/20" rel="noreferrer" target="_blank">94.122.144.0/20</a><br>
descr:          DOL<br>
origin:         AS12978<br>
mnt-by:         AS12978-Mnt<br>
created:        2014-01-24T08:55:37Z<br>
last-modified:  2014-01-24T08:55:37Z<br>
source:         RIPE<br>
<br>
% This query was served by the RIPE Database Query Service version 1.87.4 (ANGUS        )<br>
<br>
<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$ whois 212.253.62.5<br>
[Querying <a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
[<a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf" rel="noreferrer" target="_blank">http://www.ripe.net/db/<wbr>support/db-terms-conditions.<wbr>pdf</a><br>
<br>
% Note: this output has been filtered.<br>
%       To receive output for a database update, use the "-B" flag.<br>
<br>
% Information related to '212.253.56.0 - 212.253.63.255'<br>
<br>
% Abuse contact for '212.253.56.0 - 212.253.63.255' is '<a href="mailto:abuse@superonline.net">abuse@superonline.net</a>'<br>
<br>
inetnum:        212.253.56.0 - 212.253.63.255<br>
netname:        SOLNET-3<br>
descr:          TR-SOLNET-BB-VAE-ANADOLU<br>
country:        TR<br>
admin-c:        TNA13-RIPE<br>
tech-c:         TNA13-RIPE<br>
status:         ASSIGNED PA<br>
remarks:        infra-aw<br>
mnt-by:         MNT-TELLCOM<br>
created:        2011-04-18T13:49:00Z<br>
last-modified:  2013-12-19T21:17:13Z<br>
source:         RIPE # Filtered<br>
<br>
role:           Tellcom Network Admins<br>
address:        Salih Tozan Sk. Karamancilar Is Mrkz. C Blok No:16 34394<br>
address:        Esentepe/Sisli/ISTANBUL TURKEY<br>
phone:          +90 850 222 4662<br>
fax-no:         +90 850 222 4662<br>
admin-c:        TK2426-RIPE<br>
tech-c:         TK2426-RIPE<br>
nic-hdl:        TNA13-RIPE<br>
remarks:        ******************************<wbr>***************<br>
remarks:        Please send spam and abuse notification only<br>
remarks:        to <a href="mailto:abuse@superonline.net">abuse@superonline.net</a><br>
remarks:        ******************************<wbr>***************<br>
abuse-mailbox:  <a href="mailto:abuse@superonline.net">abuse@superonline.net</a><br>
mnt-by:         MNT-TELLCOM<br>
created:        2007-08-06T06:35:11Z<br>
last-modified:  2016-03-15T09:39:06Z<br>
source:         RIPE # Filtered<br>
<br>
% Information related to '<a href="http://212.253.32.0/19AS34984" rel="noreferrer" target="_blank">212.253.32.0/19AS34984</a>'<br>
<br>
route:          <a href="http://212.253.32.0/19" rel="noreferrer" target="_blank">212.253.32.0/19</a><br>
descr:          Tellcom ADSL<br>
origin:         AS34984<br>
mnt-by:         MNT-TELLCOM<br>
created:        2009-05-26T08:51:19Z<br>
last-modified:  2016-03-31T12:01:23Z<br>
source:         RIPE # Filtered<br>
<br>
% This query was served by the RIPE Database Query Service version 1.87.4 (DB-2)<br>
<br>
<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$<br>
[paulos@domwe ~]$ whois 5.254.65.9<br>
[Querying <a href="http://whois.arin.net" rel="noreferrer" target="_blank">whois.arin.net</a>]<br>
[Redirected to <a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
[Querying <a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
[<a href="http://whois.ripe.net" rel="noreferrer" target="_blank">whois.ripe.net</a>]<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf" rel="noreferrer" target="_blank">http://www.ripe.net/db/<wbr>support/db-terms-conditions.<wbr>pdf</a><br>
<br>
% Note: this output has been filtered.<br>
%       To receive output for a database update, use the "-B" flag.<br>
<br>
% Information related to '5.254.64.0 - 5.254.127.255'<br>
<br>
% Abuse contact for '5.254.64.0 - 5.254.127.255' is '<a href="mailto:abuse@globalcitytel.com">abuse@globalcitytel.com</a>'<br>
<br>
inetnum:        5.254.64.0 - 5.254.127.255<br>
netname:        Voxility<br>
descr:          IPs used by the customers of <a href="http://voxility.com" rel="noreferrer" target="_blank">voxility.com</a><br>
descr:          Dimitrie Pompeiu 9-9A, Building 24<br>
descr:          Bucharest 020335, Romania<br>
country:        RO<br>
admin-c:        VOX100-RIPE<br>
tech-c:         VOX100-RIPE<br>
status:         LIR-PARTITIONED PA<br>
mnt-by:         GLOBALCITY-MNT<br>
mnt-lower:      GLOBALCITY-MNT<br>
mnt-lower:      VOXILITY-MNT<br>
mnt-routes:     VOXILITY-MNT<br>
created:        2015-04-29T11:35:35Z<br>
last-modified:  2016-09-06T09:32:58Z<br>
source:         RIPE<br>
<br>
person:         Voxility NOC<br>
remarks:        Team in Charge of Voxility Global IP<br>
remarks:        Backbone Management<br>
remarks:        Available 24/7 for routing issues and security incidents<br>
org:            ORG-SVS8-RIPE<br>
address:        Dimitrie Pompeiu 9-9A, Building 24<br>
address:        Bucharest 020335, Romania<br>
remarks:        <a href="mailto:noc@voxility.com">noc@voxility.com</a><br>
abuse-mailbox:  <a href="mailto:abuse@voxility.com">abuse@voxility.com</a><br>
remarks:        +1.703-888-5811 (US)<br>
remarks:        +49.69-957-98952 (Germany)<br>
remarks:        +44 20-3355-1458 (UK)<br>
phone:          +40212074774<br>
nic-hdl:        VOX100-RIPE<br>
mnt-by:         VOXILITY-MNT<br>
created:        2012-08-04T15:50:52Z<br>
last-modified:  2013-10-07T19:48:57Z<br>
source:         RIPE # Filtered<br>
<br>
% Information related to '<a href="http://5.254.64.0/20AS3223" rel="noreferrer" target="_blank">5.254.64.0/20AS3223</a>'<br>
<br>
route:          <a href="http://5.254.64.0/20" rel="noreferrer" target="_blank">5.254.64.0/20</a><br>
descr:          <a href="http://voxility.net" rel="noreferrer" target="_blank">voxility.net</a><br>
origin:         AS3223<br>
mnt-by:         VOXILITY-MNT<br>
created:        2016-01-20T16:03:15Z<br>
last-modified:  2016-01-20T16:03:15Z<br>
source:         RIPE<br>
<br>
% This query was served by the RIPE Database Query Service version 1.87.4 (ANGUS)<br>
<br>
<br>
[paulos@domwe ~]$<br>
------------------------------<wbr>----------------------------<br>
Malawi SDNP Webmail: <a href="http://www.sdnp.org.mw" rel="noreferrer" target="_blank">http://www.sdnp.org.mw</a><br>
Access your Malawi SDNP e-mail from anywhere in the world.<br>
------------------------------<wbr>----------------------------<br>
<br>
<br>
______________________________<wbr>_________________<br>
afnog mailing list<br>
<a href="https://www.afnog.org/mailman/listinfo/afnog" rel="noreferrer" target="_blank">https://www.afnog.org/mailman/<wbr>listinfo/afnog</a><br>
</blockquote></div></div>