Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

hack attempt

  • 27-02-2005 10:54pm
    #1
    Registered Users, Registered Users 2 Posts: 8,219 ✭✭✭


    Folks,

    not a network specialist by any manner or means, but my firewall threw up a warning that IP address 24.248.7.132 was trying to access mysql.exe. I have MySQL but I had some problems setting it up so I haven't got it fully functional yet.

    I did a check on the IP address, and one IP tracer came up with Phoenix Arizona, and the IP range is owned by a cable network company called Cox Communications. According to WHOIS, they are located in Atlanta.

    I realise that this is probably common place, but I'm wondering if there are answers to the following questions:

    How does some being in Arizona figure out I've got mysql.exe on my computer is it some kind of scanning and
    once connected what is the purposes? Is it using it as an email relay (which would surprise me because at home I'm on dial-up) or is it something altogether more sinister?
    Is there anything to be gained from taking a screenshot and emailing it to the cable provider over there?

    I have the firewall set up to highlight everything and instead of blanket rejecting everything I've decided to look at where these are coming from before rejecting them...just out of interest.

    If anyone has any ideas on this, I'd be interested to see them.


Comments

  • Registered Users, Registered Users 2 Posts: 22,231 ✭✭✭✭Sparky


    Dont worry I get the exact same as you (well up to 200 or 1000 a day) reports like you.
    Its your firewall informing you that it has blocked the incoming connection port commonly used by that programme, anyway if you have a good firewall, which I hope you do, your computer will be hidden to the outside world.
    Hope this helps.


  • Registered Users, Registered Users 2 Posts: 8,219 ✭✭✭Calina


    I do have a good firewall and I'm not too worried about something getting in. I am more interested in the why....

    but thanks anyway.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Probably a MySQL worm. I get loads of them too.


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    your computer will be hidden to the outside world.
    Only if you turn off ICMP which will break other things.


  • Closed Accounts Posts: 1,502 ✭✭✭MrPinK


    Calina wrote:
    How does some being in Arizona figure out I've got mysql.exe on my computer is it some kind of scanning and
    once connected what is the purposes?
    They don't have to know. A programme could try connecting to every possible IP address, and it will have found a vunurable machine running mysql.exe very quickly.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,067 ✭✭✭tomk


    Also, the machine that's trying to connect could also be infected without the owner knowing, and could be trying to pass on the worm to anyone with the right port open.


  • Registered Users, Registered Users 2 Posts: 8,219 ✭✭✭Calina


    Thanks a lot folks, this has been illuminating. I didn't know there was such a thing as a mysql worm.


  • Registered Users, Registered Users 2 Posts: 683 ✭✭✭Gosh


    It's been around for about a month now

    http://www.theregister.co.uk/2005/01/28/mysql_worm/


  • Registered Users, Registered Users 2 Posts: 1,184 ✭✭✭causal


    blacknight wrote:
    Only if you turn off ICMP which will break other things.
    Can you explain that please :confused:
    Do you mean it will break some nasty attacks, or it will break your security, or what's the story?

    Thanks,
    causal


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    ICMP is not an after thought. If you disable it you can break a lot of other things.
    Security through obscurity is not recommmended


  • Advertisement
  • Closed Accounts Posts: 345 ✭✭tck


    causal wrote:
    Can you explain that please :confused:
    Do you mean it will break some nasty attacks, or it will break your security, or what's the story?

    Thanks,
    causal


    People use ICMP packets for testing networks, examples would be traceroute and ping replies. There are many diff types, ICMP type 8 (otherwise known as ping) or ICMP type 5 re-direct messages sent by routers. Disabling them all in a busy network etc.. could work against you.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,596 Mod ✭✭✭✭Capt'n Midnight


    MrPinK wrote:
    They don't have to know. A programme could try connecting to every possible IP address, and it will have found a vunurable machine running mysql.exe very quickly.
    Yawn.. it would be a "Warhol worm" and it's already happened with SQL didn't you know ?
    http://www.bullguard.com/antivirus/news_183.aspx
    The SQL Slammer worm began infecting hosts slightly before 05:30 UTC on Saturday January 25th
    by 05:40 UTC the worldwide damage was done.
    http://software.silicon.com/security/0,39024655,10002724,00.htm
    SQL Slammer, also known as the Sapphire worm, infected more than 90 per cent of vulnerable computers within just 10 minutes, opening a new era of fast-spreading viruses on the internet, according to a US think tank.


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    tck wrote:
    People use ICMP packets for testing networks, examples would be traceroute and ping replies. There are many diff types, ICMP type 8 (otherwise known as ping) or ICMP type 5 re-direct messages sent by routers. Disabling them all in a busy network etc.. could work against you.
    We see mail being broken all the time because of it being off


  • Registered Users, Registered Users 2 Posts: 4,676 ✭✭✭Gavin


    ICMP is used for a lot more than simple pings & traceroutes. It can be used to redirect incorrectly routed packets, timestamping, incorrectly formatted packets, the ttl value hitting zero, etc. It runs in the background fixing problems, and setting values. For more info, check out a book, Computer Networks, from Tanenbaum or
    http://en.wikipedia.org/wiki/ICMP

    Gav


  • Registered Users, Registered Users 2 Posts: 1,184 ✭✭✭causal


    Thanks for the replies on ICMP :)

    My gateway/router has a feature 'Block ICMP Ping' briefly described as "You can configure the Router not to respond to an ICMP Ping ...The router will not respond to an ICMP ping."

    From reading the link posted by Verb; my understanding of the statement above is that my gateway won't send an ICMP message 0, in reponse to an ICMP message 8.
    But presumably it will still respond to other ICMP messages.
    I also guess that it's easy for a hacker to send these other ICMP messages and determine from the response received whether or not there was a device at the address.

    So if I understand you correctly Blacknight, that's why you say the only way to remain invisible is to turn off ICMP (totally) - but that then there are consequences of not responding to ANY ICMP messages.

    Is my understanding accurate?

    Thanks,
    causal


  • Closed Accounts Posts: 345 ✭✭tck


    even turning off ICMP won't be 100% guaranteed, just test it and see the results!


  • Registered Users, Registered Users 2 Posts: 4,676 ✭✭✭Gavin


    Just leave ICMP on, it doesn't particularly damage your security if you have a decent firewall.

    Gav


Advertisement