[afnog] attack on 196.45.188.25 currently in progress
Sunday Folayan
sfolayan at gmail.com
Mon Sep 12 05:04:42 UTC 2016
Poule Paulos,
Apart from your web server, whois server, EPP port and DNS slaves, for a
registry, nothing else should be public facing. Move your SQL server behind
a DMZ asap. Only neonates attack from their own systems, they are probably
using a compromised host.
Go offline and fix your firewall and filters before they lock you out.
Good luck.
Sunday.
On Sep 12, 2016 2:51 AM, "Dr Paulos Nyirenda" <paulos at sdnp.org.mw> wrote:
>
> We are seeing an online attack on our server 196.45.188.25 in progress
> right now, they
> are targetting mysql services that we are running in relation to our .mw
> registry servers.
>
> Tha attack is being run from the following IP addresses which show as
> Turkey and Romania
> origins as shown in the whois.
>
> 5.254.65.9
> 212.253.62.5
> 94.122.154.187
>
> Any ideas on how to prevent attacks on mysql 5.6 on Fedora 20
> installations ?
>
> I can see what they want to modify but I have problems seeing how they got
> in or as what.
>
> I am copying this to the abuse contacts on these networks ... does this
> really work?
>
> Regards,
>
> Paulos
> ======================
> Dr Paulos B Nyirenda
> NIC.MW & .mw ccTLD
> http://www.registrar.mw
>
>
>
> [paulos at domwe ~]$ whois 94.122.154.187
> [Querying whois.arin.net]
> [Redirected to whois.ripe.net]
> [Querying whois.ripe.net]
> [whois.ripe.net]
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> % To receive output for a database update, use the "-B" flag.
>
> % Information related to '94.122.144.0 - 94.122.159.255'
>
> % Abuse contact for '94.122.144.0 - 94.122.159.255' is '
> netadmins at dsmart.com.tr'
>
> inetnum: 94.122.144.0 - 94.122.159.255
> netname: DOL
> remarks: rev-srv: doldns01.dol.com.tr
> remarks: rev-srv: doldns02.dol.com.tr
> descr: DOL DATACENTER - VAE ADSL DYNAMIC
> country: TR
> admin-c: DOL22-RIPE
> tech-c: DOL22-RIPE
> status: ASSIGNED PA
> mnt-by: AS12978-MNT
> created: 2008-10-14T20:26:59Z
> last-modified: 2014-09-15T07:37:47Z
> source: RIPE
> remarks: rev-srv attribute deprecated by RIPE NCC on 02/09/2009
>
> role: DOL Network Services
> address: 100. Yil Mahallesi Melda Sk.
> address: Dogan TV Center, No:1 34204, Bagcilar - Istanbul
> phone: +90 212 3737800
> fax-no: +90 212 3802491
> admin-c: SA163-RIPE
> tech-c: EE278-RIPE
> nic-hdl: DOL22-RIPE
> mnt-by: AS12978-MNT
> mnt-by: TDTB-MNT
> created: 2003-10-16T09:25:39Z
> last-modified: 2016-05-27T16:00:07Z
> source: RIPE # Filtered
>
> % Information related to '94.122.144.0/20AS12978'
>
> route: 94.122.144.0/20
> descr: DOL
> origin: AS12978
> mnt-by: AS12978-Mnt
> created: 2014-01-24T08:55:37Z
> last-modified: 2014-01-24T08:55:37Z
> source: RIPE
>
> % This query was served by the RIPE Database Query Service version 1.87.4
> (ANGUS )
>
>
> [paulos at domwe ~]$
> [paulos at domwe ~]$
> [paulos at domwe ~]$ whois 212.253.62.5
> [Querying whois.ripe.net]
> [whois.ripe.net]
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> % To receive output for a database update, use the "-B" flag.
>
> % Information related to '212.253.56.0 - 212.253.63.255'
>
> % Abuse contact for '212.253.56.0 - 212.253.63.255' is '
> abuse at superonline.net'
>
> inetnum: 212.253.56.0 - 212.253.63.255
> netname: SOLNET-3
> descr: TR-SOLNET-BB-VAE-ANADOLU
> country: TR
> admin-c: TNA13-RIPE
> tech-c: TNA13-RIPE
> status: ASSIGNED PA
> remarks: infra-aw
> mnt-by: MNT-TELLCOM
> created: 2011-04-18T13:49:00Z
> last-modified: 2013-12-19T21:17:13Z
> source: RIPE # Filtered
>
> role: Tellcom Network Admins
> address: Salih Tozan Sk. Karamancilar Is Mrkz. C Blok No:16 34394
> address: Esentepe/Sisli/ISTANBUL TURKEY
> phone: +90 850 222 4662
> fax-no: +90 850 222 4662
> admin-c: TK2426-RIPE
> tech-c: TK2426-RIPE
> nic-hdl: TNA13-RIPE
> remarks: *********************************************
> remarks: Please send spam and abuse notification only
> remarks: to abuse at superonline.net
> remarks: *********************************************
> abuse-mailbox: abuse at superonline.net
> mnt-by: MNT-TELLCOM
> created: 2007-08-06T06:35:11Z
> last-modified: 2016-03-15T09:39:06Z
> source: RIPE # Filtered
>
> % Information related to '212.253.32.0/19AS34984'
>
> route: 212.253.32.0/19
> descr: Tellcom ADSL
> origin: AS34984
> mnt-by: MNT-TELLCOM
> created: 2009-05-26T08:51:19Z
> last-modified: 2016-03-31T12:01:23Z
> source: RIPE # Filtered
>
> % This query was served by the RIPE Database Query Service version 1.87.4
> (DB-2)
>
>
> [paulos at domwe ~]$
> [paulos at domwe ~]$
> [paulos at domwe ~]$ whois 5.254.65.9
> [Querying whois.arin.net]
> [Redirected to whois.ripe.net]
> [Querying whois.ripe.net]
> [whois.ripe.net]
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> % To receive output for a database update, use the "-B" flag.
>
> % Information related to '5.254.64.0 - 5.254.127.255'
>
> % Abuse contact for '5.254.64.0 - 5.254.127.255' is '
> abuse at globalcitytel.com'
>
> inetnum: 5.254.64.0 - 5.254.127.255
> netname: Voxility
> descr: IPs used by the customers of voxility.com
> descr: Dimitrie Pompeiu 9-9A, Building 24
> descr: Bucharest 020335, Romania
> country: RO
> admin-c: VOX100-RIPE
> tech-c: VOX100-RIPE
> status: LIR-PARTITIONED PA
> mnt-by: GLOBALCITY-MNT
> mnt-lower: GLOBALCITY-MNT
> mnt-lower: VOXILITY-MNT
> mnt-routes: VOXILITY-MNT
> created: 2015-04-29T11:35:35Z
> last-modified: 2016-09-06T09:32:58Z
> source: RIPE
>
> person: Voxility NOC
> remarks: Team in Charge of Voxility Global IP
> remarks: Backbone Management
> remarks: Available 24/7 for routing issues and security incidents
> org: ORG-SVS8-RIPE
> address: Dimitrie Pompeiu 9-9A, Building 24
> address: Bucharest 020335, Romania
> remarks: noc at voxility.com
> abuse-mailbox: abuse at voxility.com
> remarks: +1.703-888-5811 (US)
> remarks: +49.69-957-98952 (Germany)
> remarks: +44 20-3355-1458 (UK)
> phone: +40212074774
> nic-hdl: VOX100-RIPE
> mnt-by: VOXILITY-MNT
> created: 2012-08-04T15:50:52Z
> last-modified: 2013-10-07T19:48:57Z
> source: RIPE # Filtered
>
> % Information related to '5.254.64.0/20AS3223'
>
> route: 5.254.64.0/20
> descr: voxility.net
> origin: AS3223
> mnt-by: VOXILITY-MNT
> created: 2016-01-20T16:03:15Z
> last-modified: 2016-01-20T16:03:15Z
> source: RIPE
>
> % This query was served by the RIPE Database Query Service version 1.87.4
> (ANGUS)
>
>
> [paulos at domwe ~]$
> ----------------------------------------------------------
> Malawi SDNP Webmail: http://www.sdnp.org.mw
> Access your Malawi SDNP e-mail from anywhere in the world.
> ----------------------------------------------------------
>
>
> _______________________________________________
> afnog mailing list
> https://www.afnog.org/mailman/listinfo/afnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20160912/0c91315b/attachment.html>
More information about the afnog
mailing list