[afnog] attack on 196.45.188.25 currently in progress
Kisakye Alex
kisakye at gmail.com
Mon Sep 12 02:16:46 UTC 2016
Hello,
Quick fix would be blocking these ip addresses with iptables.
Then start post mortem;
-Is your database server available publicly? Perhaps you should consider
closing it and only accepting connections from trusted IP's. If your mysql
is accessible then these may not be targeted attacks and just drive-bys and
they are going to keep happening
-Is your FC box up to date with patch fixes available, "yum upgrade"?
Reaching out to abuse contacts is good practice but often enough its some
box that has also been hacked and is being used as a relay. The best they
can do is alert the upstream victim.
Alex
On Mon, Sep 12, 2016 at 11:53 AM, Dr Paulos Nyirenda <paulos at sdnp.org.mw>
wrote:
>
> We are seeing an online attack on our server 196.45.188.25 in progress
> right now, they
> are targetting mysql services that we are running in relation to our .mw
> registry servers.
>
> Tha attack is being run from the following IP addresses which show as
> Turkey and Romania
> origins as shown in the whois.
>
> 5.254.65.9
> 212.253.62.5
> 94.122.154.187
>
> Any ideas on how to prevent attacks on mysql 5.6 on Fedora 20
> installations ?
>
> I can see what they want to modify but I have problems seeing how they got
> in or as what.
>
> I am copying this to the abuse contacts on these networks ... does this
> really work?
>
> Regards,
>
> Paulos
> ======================
> Dr Paulos B Nyirenda
> NIC.MW & .mw ccTLD
> http://www.registrar.mw
>
>
>
> [paulos at domwe ~]$ whois 94.122.154.187
> [Querying whois.arin.net]
> [Redirected to whois.ripe.net]
> [Querying whois.ripe.net]
> [whois.ripe.net]
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> % To receive output for a database update, use the "-B" flag.
>
> % Information related to '94.122.144.0 - 94.122.159.255'
>
> % Abuse contact for '94.122.144.0 - 94.122.159.255' is '
> netadmins at dsmart.com.tr'
>
> inetnum: 94.122.144.0 - 94.122.159.255
> netname: DOL
> remarks: rev-srv: doldns01.dol.com.tr
> remarks: rev-srv: doldns02.dol.com.tr
> descr: DOL DATACENTER - VAE ADSL DYNAMIC
> country: TR
> admin-c: DOL22-RIPE
> tech-c: DOL22-RIPE
> status: ASSIGNED PA
> mnt-by: AS12978-MNT
> created: 2008-10-14T20:26:59Z
> last-modified: 2014-09-15T07:37:47Z
> source: RIPE
> remarks: rev-srv attribute deprecated by RIPE NCC on 02/09/2009
>
> role: DOL Network Services
> address: 100. Yil Mahallesi Melda Sk.
> address: Dogan TV Center, No:1 34204, Bagcilar - Istanbul
> phone: +90 212 3737800
> fax-no: +90 212 3802491
> admin-c: SA163-RIPE
> tech-c: EE278-RIPE
> nic-hdl: DOL22-RIPE
> mnt-by: AS12978-MNT
> mnt-by: TDTB-MNT
> created: 2003-10-16T09:25:39Z
> last-modified: 2016-05-27T16:00:07Z
> source: RIPE # Filtered
>
> % Information related to '94.122.144.0/20AS12978'
>
> route: 94.122.144.0/20
> descr: DOL
> origin: AS12978
> mnt-by: AS12978-Mnt
> created: 2014-01-24T08:55:37Z
> last-modified: 2014-01-24T08:55:37Z
> source: RIPE
>
> % This query was served by the RIPE Database Query Service version 1.87.4
> (ANGUS )
>
>
> [paulos at domwe ~]$
> [paulos at domwe ~]$
> [paulos at domwe ~]$ whois 212.253.62.5
> [Querying whois.ripe.net]
> [whois.ripe.net]
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> % To receive output for a database update, use the "-B" flag.
>
> % Information related to '212.253.56.0 - 212.253.63.255'
>
> % Abuse contact for '212.253.56.0 - 212.253.63.255' is '
> abuse at superonline.net'
>
> inetnum: 212.253.56.0 - 212.253.63.255
> netname: SOLNET-3
> descr: TR-SOLNET-BB-VAE-ANADOLU
> country: TR
> admin-c: TNA13-RIPE
> tech-c: TNA13-RIPE
> status: ASSIGNED PA
> remarks: infra-aw
> mnt-by: MNT-TELLCOM
> created: 2011-04-18T13:49:00Z
> last-modified: 2013-12-19T21:17:13Z
> source: RIPE # Filtered
>
> role: Tellcom Network Admins
> address: Salih Tozan Sk. Karamancilar Is Mrkz. C Blok No:16 34394
> address: Esentepe/Sisli/ISTANBUL TURKEY
> phone: +90 850 222 4662
> fax-no: +90 850 222 4662
> admin-c: TK2426-RIPE
> tech-c: TK2426-RIPE
> nic-hdl: TNA13-RIPE
> remarks: *********************************************
> remarks: Please send spam and abuse notification only
> remarks: to abuse at superonline.net
> remarks: *********************************************
> abuse-mailbox: abuse at superonline.net
> mnt-by: MNT-TELLCOM
> created: 2007-08-06T06:35:11Z
> last-modified: 2016-03-15T09:39:06Z
> source: RIPE # Filtered
>
> % Information related to '212.253.32.0/19AS34984'
>
> route: 212.253.32.0/19
> descr: Tellcom ADSL
> origin: AS34984
> mnt-by: MNT-TELLCOM
> created: 2009-05-26T08:51:19Z
> last-modified: 2016-03-31T12:01:23Z
> source: RIPE # Filtered
>
> % This query was served by the RIPE Database Query Service version 1.87.4
> (DB-2)
>
>
> [paulos at domwe ~]$
> [paulos at domwe ~]$
> [paulos at domwe ~]$ whois 5.254.65.9
> [Querying whois.arin.net]
> [Redirected to whois.ripe.net]
> [Querying whois.ripe.net]
> [whois.ripe.net]
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> % To receive output for a database update, use the "-B" flag.
>
> % Information related to '5.254.64.0 - 5.254.127.255'
>
> % Abuse contact for '5.254.64.0 - 5.254.127.255' is '
> abuse at globalcitytel.com'
>
> inetnum: 5.254.64.0 - 5.254.127.255
> netname: Voxility
> descr: IPs used by the customers of voxility.com
> descr: Dimitrie Pompeiu 9-9A, Building 24
> descr: Bucharest 020335, Romania
> country: RO
> admin-c: VOX100-RIPE
> tech-c: VOX100-RIPE
> status: LIR-PARTITIONED PA
> mnt-by: GLOBALCITY-MNT
> mnt-lower: GLOBALCITY-MNT
> mnt-lower: VOXILITY-MNT
> mnt-routes: VOXILITY-MNT
> created: 2015-04-29T11:35:35Z
> last-modified: 2016-09-06T09:32:58Z
> source: RIPE
>
> person: Voxility NOC
> remarks: Team in Charge of Voxility Global IP
> remarks: Backbone Management
> remarks: Available 24/7 for routing issues and security incidents
> org: ORG-SVS8-RIPE
> address: Dimitrie Pompeiu 9-9A, Building 24
> address: Bucharest 020335, Romania
> remarks: noc at voxility.com
> abuse-mailbox: abuse at voxility.com
> remarks: +1.703-888-5811 (US)
> remarks: +49.69-957-98952 (Germany)
> remarks: +44 20-3355-1458 (UK)
> phone: +40212074774
> nic-hdl: VOX100-RIPE
> mnt-by: VOXILITY-MNT
> created: 2012-08-04T15:50:52Z
> last-modified: 2013-10-07T19:48:57Z
> source: RIPE # Filtered
>
> % Information related to '5.254.64.0/20AS3223'
>
> route: 5.254.64.0/20
> descr: voxility.net
> origin: AS3223
> mnt-by: VOXILITY-MNT
> created: 2016-01-20T16:03:15Z
> last-modified: 2016-01-20T16:03:15Z
> source: RIPE
>
> % This query was served by the RIPE Database Query Service version 1.87.4
> (ANGUS)
>
>
> [paulos at domwe ~]$
> ----------------------------------------------------------
> Malawi SDNP Webmail: http://www.sdnp.org.mw
> Access your Malawi SDNP e-mail from anywhere in the world.
> ----------------------------------------------------------
>
>
> _______________________________________________
> afnog mailing list
> https://www.afnog.org/mailman/listinfo/afnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20160912/9872c609/attachment-0001.html>
More information about the afnog
mailing list