[afnog] attack on 196.45.188.25 currently in progress

Mohamed Faye mahafaye at gmail.com
Mon Sep 12 14:24:45 UTC 2016


Best thing would be to install fail2ban and try to do some little of of
iptables to harden it but I guess fail2ban would be good.

:/Mohamed

On Monday, September 12, 2016, Dr Paulos Nyirenda <paulos at sdnp.org.mw>
wrote:

>
> We are seeing an online attack on our server 196.45.188.25 in progress
> right now, they
> are targetting mysql services that we are running in relation to our .mw
> registry servers.
>
> Tha attack is being run from the following IP addresses which show as
> Turkey and Romania
> origins as shown in the whois.
>
> 5.254.65.9
> 212.253.62.5
> 94.122.154.187
>
> Any ideas on how to prevent attacks on mysql 5.6 on Fedora 20
> installations ?
>
> I can see what they want to modify but I have problems seeing how they got
> in or as what.
>
> I am copying this to the abuse contacts on these networks ... does this
> really work?
>
> Regards,
>
> Paulos
> ======================
> Dr Paulos B Nyirenda
> NIC.MW & .mw ccTLD
> http://www.registrar.mw
>
>
>
> [paulos at domwe ~]$ whois 94.122.154.187
> [Querying whois.arin.net]
> [Redirected to whois.ripe.net]
> [Querying whois.ripe.net]
> [whois.ripe.net]
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> %       To receive output for a database update, use the "-B" flag.
>
> % Information related to '94.122.144.0 - 94.122.159.255'
>
> % Abuse contact for '94.122.144.0 - 94.122.159.255' is '
> netadmins at dsmart.com.tr <javascript:;>'
>
> inetnum:        94.122.144.0 - 94.122.159.255
> netname:        DOL
> remarks:        rev-srv: doldns01.dol.com.tr
> remarks:        rev-srv: doldns02.dol.com.tr
> descr:          DOL DATACENTER - VAE ADSL DYNAMIC
> country:        TR
> admin-c:        DOL22-RIPE
> tech-c:         DOL22-RIPE
> status:         ASSIGNED PA
> mnt-by:         AS12978-MNT
> created:        2008-10-14T20:26:59Z
> last-modified:  2014-09-15T07:37:47Z
> source:         RIPE
> remarks:        rev-srv attribute deprecated by RIPE NCC on 02/09/2009
>
> role:           DOL Network Services
> address:        100. Yil Mahallesi Melda Sk.
> address:        Dogan TV Center, No:1 34204, Bagcilar - Istanbul
> phone:          +90 212 3737800
> fax-no:         +90 212 3802491
> admin-c:        SA163-RIPE
> tech-c:         EE278-RIPE
> nic-hdl:        DOL22-RIPE
> mnt-by:         AS12978-MNT
> mnt-by:         TDTB-MNT
> created:        2003-10-16T09:25:39Z
> last-modified:  2016-05-27T16:00:07Z
> source:         RIPE # Filtered
>
> % Information related to '94.122.144.0/20AS12978'
>
> route:          94.122.144.0/20
> descr:          DOL
> origin:         AS12978
> mnt-by:         AS12978-Mnt
> created:        2014-01-24T08:55:37Z
> last-modified:  2014-01-24T08:55:37Z
> source:         RIPE
>
> % This query was served by the RIPE Database Query Service version 1.87.4
> (ANGUS        )
>
>
> [paulos at domwe ~]$
> [paulos at domwe ~]$
> [paulos at domwe ~]$ whois 212.253.62.5
> [Querying whois.ripe.net]
> [whois.ripe.net]
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> %       To receive output for a database update, use the "-B" flag.
>
> % Information related to '212.253.56.0 - 212.253.63.255'
>
> % Abuse contact for '212.253.56.0 - 212.253.63.255' is '
> abuse at superonline.net <javascript:;>'
>
> inetnum:        212.253.56.0 - 212.253.63.255
> netname:        SOLNET-3
> descr:          TR-SOLNET-BB-VAE-ANADOLU
> country:        TR
> admin-c:        TNA13-RIPE
> tech-c:         TNA13-RIPE
> status:         ASSIGNED PA
> remarks:        infra-aw
> mnt-by:         MNT-TELLCOM
> created:        2011-04-18T13:49:00Z
> last-modified:  2013-12-19T21:17:13Z
> source:         RIPE # Filtered
>
> role:           Tellcom Network Admins
> address:        Salih Tozan Sk. Karamancilar Is Mrkz. C Blok No:16 34394
> address:        Esentepe/Sisli/ISTANBUL TURKEY
> phone:          +90 850 222 4662
> fax-no:         +90 850 222 4662
> admin-c:        TK2426-RIPE
> tech-c:         TK2426-RIPE
> nic-hdl:        TNA13-RIPE
> remarks:        *********************************************
> remarks:        Please send spam and abuse notification only
> remarks:        to abuse at superonline.net <javascript:;>
> remarks:        *********************************************
> abuse-mailbox:  abuse at superonline.net <javascript:;>
> mnt-by:         MNT-TELLCOM
> created:        2007-08-06T06:35:11Z
> last-modified:  2016-03-15T09:39:06Z
> source:         RIPE # Filtered
>
> % Information related to '212.253.32.0/19AS34984'
>
> route:          212.253.32.0/19
> descr:          Tellcom ADSL
> origin:         AS34984
> mnt-by:         MNT-TELLCOM
> created:        2009-05-26T08:51:19Z
> last-modified:  2016-03-31T12:01:23Z
> source:         RIPE # Filtered
>
> % This query was served by the RIPE Database Query Service version 1.87.4
> (DB-2)
>
>
> [paulos at domwe ~]$
> [paulos at domwe ~]$
> [paulos at domwe ~]$ whois 5.254.65.9
> [Querying whois.arin.net]
> [Redirected to whois.ripe.net]
> [Querying whois.ripe.net]
> [whois.ripe.net]
> % This is the RIPE Database query service.
> % The objects are in RPSL format.
> %
> % The RIPE Database is subject to Terms and Conditions.
> % See http://www.ripe.net/db/support/db-terms-conditions.pdf
>
> % Note: this output has been filtered.
> %       To receive output for a database update, use the "-B" flag.
>
> % Information related to '5.254.64.0 - 5.254.127.255'
>
> % Abuse contact for '5.254.64.0 - 5.254.127.255' is '
> abuse at globalcitytel.com <javascript:;>'
>
> inetnum:        5.254.64.0 - 5.254.127.255
> netname:        Voxility
> descr:          IPs used by the customers of voxility.com
> descr:          Dimitrie Pompeiu 9-9A, Building 24
> descr:          Bucharest 020335, Romania
> country:        RO
> admin-c:        VOX100-RIPE
> tech-c:         VOX100-RIPE
> status:         LIR-PARTITIONED PA
> mnt-by:         GLOBALCITY-MNT
> mnt-lower:      GLOBALCITY-MNT
> mnt-lower:      VOXILITY-MNT
> mnt-routes:     VOXILITY-MNT
> created:        2015-04-29T11:35:35Z
> last-modified:  2016-09-06T09:32:58Z
> source:         RIPE
>
> person:         Voxility NOC
> remarks:        Team in Charge of Voxility Global IP
> remarks:        Backbone Management
> remarks:        Available 24/7 for routing issues and security incidents
> org:            ORG-SVS8-RIPE
> address:        Dimitrie Pompeiu 9-9A, Building 24
> address:        Bucharest 020335, Romania
> remarks:        noc at voxility.com <javascript:;>
> abuse-mailbox:  abuse at voxility.com <javascript:;>
> remarks:        +1.703-888-5811 (US)
> remarks:        +49.69-957-98952 (Germany)
> remarks:        +44 20-3355-1458 (UK)
> phone:          +40212074774
> nic-hdl:        VOX100-RIPE
> mnt-by:         VOXILITY-MNT
> created:        2012-08-04T15:50:52Z
> last-modified:  2013-10-07T19:48:57Z
> source:         RIPE # Filtered
>
> % Information related to '5.254.64.0/20AS3223'
>
> route:          5.254.64.0/20
> descr:          voxility.net
> origin:         AS3223
> mnt-by:         VOXILITY-MNT
> created:        2016-01-20T16:03:15Z
> last-modified:  2016-01-20T16:03:15Z
> source:         RIPE
>
> % This query was served by the RIPE Database Query Service version 1.87.4
> (ANGUS)
>
>
> [paulos at domwe ~]$
> ----------------------------------------------------------
> Malawi SDNP Webmail: http://www.sdnp.org.mw
> Access your Malawi SDNP e-mail from anywhere in the world.
> ----------------------------------------------------------
>
>
> _______________________________________________
> afnog mailing list
> https://www.afnog.org/mailman/listinfo/afnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20160912/f853bf7d/attachment.html>


More information about the afnog mailing list