hack attempt

Calina

Folks,

not a network specialist by any manner or means, but my firewall threw up a warning that IP address 24.248.7.132 was trying to access mysql.exe. I have MySQL but I had some problems setting it up so I haven't got it fully functional yet.

I did a check on the IP address, and one IP tracer came up with Phoenix Arizona, and the IP range is owned by a cable network company called Cox Communications. According to WHOIS, they are located in Atlanta.

I realise that this is probably common place, but I'm wondering if there are answers to the following questions:

How does some being in Arizona figure out I've got mysql.exe on my computer is it some kind of scanning and
once connected what is the purposes? Is it using it as an email relay (which would surprise me because at home I'm on dial-up) or is it something altogether more sinister?
Is there anything to be gained from taking a screenshot and emailing it to the cable provider over there?

I have the firewall set up to highlight everything and instead of blanket rejecting everything I've decided to look at where these are coming from before rejecting them...just out of interest.

If anyone has any ideas on this, I'd be interested to see them.

Sparky

Dont worry I get the exact same as you (well up to 200 or 1000 a day) reports like you.
Its your firewall informing you that it has blocked the incoming connection port commonly used by that programme, anyway if you have a good firewall, which I hope you do, your computer will be hidden to the outside world.
Hope this helps.

Calina

I do have a good firewall and I'm not too worried about something getting in. I am more interested in the why....

but thanks anyway.

seamus

Probably a MySQL worm. I get loads of them too.

mneylon

Sparky's_snips wrote:

your computer will be hidden to the outside world.

Only if you turn off ICMP which will break other things.

MrPinK

Calina wrote:

How does some being in Arizona figure out I've got mysql.exe on my computer is it some kind of scanning and
once connected what is the purposes?

They don't have to know. A programme could try connecting to every possible IP address, and it will have found a vunurable machine running mysql.exe very quickly.

tomk

Also, the machine that's trying to connect could also be infected without the owner knowing, and could be trying to pass on the worm to anyone with the right port open.

Calina

Thanks a lot folks, this has been illuminating. I didn't know there was such a thing as a mysql worm.

Gosh

It's been around for about a month now

http://www.theregister.co.uk/2005/01/28/mysql_worm/

causal

blacknight wrote:

Only if you turn off ICMP which will break other things.

Can you explain that please
Do you mean it will break some nasty attacks, or it will break your security, or what's the story?

Thanks,
causal

mneylon

ICMP is not an after thought. If you disable it you can break a lot of other things.
Security through obscurity is not recommmended

tck

causal wrote:

Can you explain that please
Do you mean it will break some nasty attacks, or it will break your security, or what's the story?

Thanks,
causal

People use ICMP packets for testing networks, examples would be traceroute and ping replies. There are many diff types, ICMP type 8 (otherwise known as ping) or ICMP type 5 re-direct messages sent by routers. Disabling them all in a busy network etc.. could work against you.

Capt'n Midnight

MrPinK wrote:

They don't have to know. A programme could try connecting to every possible IP address, and it will have found a vunurable machine running mysql.exe very quickly.

Yawn.. it would be a "Warhol worm" and it's already happened with SQL didn't you know ?
http://www.bullguard.com/antivirus/news_183.aspx

The SQL Slammer worm began infecting hosts slightly before 05:30 UTC on Saturday January 25th

by 05:40 UTC the worldwide damage was done.
http://software.silicon.com/security/0,39024655,10002724,00.htm

SQL Slammer, also known as the Sapphire worm, infected more than 90 per cent of vulnerable computers within just 10 minutes, opening a new era of fast-spreading viruses on the internet, according to a US think tank.

mneylon

tck wrote:

People use ICMP packets for testing networks, examples would be traceroute and ping replies. There are many diff types, ICMP type 8 (otherwise known as ping) or ICMP type 5 re-direct messages sent by routers. Disabling them all in a busy network etc.. could work against you.

We see mail being broken all the time because of it being off

Gavin

ICMP is used for a lot more than simple pings & traceroutes. It can be used to redirect incorrectly routed packets, timestamping, incorrectly formatted packets, the ttl value hitting zero, etc. It runs in the background fixing problems, and setting values. For more info, check out a book, Computer Networks, from Tanenbaum or
http://en.wikipedia.org/wiki/ICMP

Gav

causal

Thanks for the replies on ICMP

My gateway/router has a feature 'Block ICMP Ping' briefly described as "You can configure the Router not to respond to an ICMP Ping ...The router will not respond to an ICMP ping."

From reading the link posted by Verb; my understanding of the statement above is that my gateway won't send an ICMP message 0, in reponse to an ICMP message 8.
But presumably it will still respond to other ICMP messages.
I also guess that it's easy for a hacker to send these other ICMP messages and determine from the response received whether or not there was a device at the address.

So if I understand you correctly Blacknight, that's why you say the only way to remain invisible is to turn off ICMP (totally) - but that then there are consequences of not responding to ANY ICMP messages.

Is my understanding accurate?

Thanks,
causal

tck

even turning off ICMP won't be 100% guaranteed, just test it and see the results!

Gavin

Just leave ICMP on, it doesn't particularly damage your security if you have a decent firewall.

Gav