Mysql queries killed

P

patrickkasie

Verified User
Joined
Sep 21, 2021
Messages
241
Location
Een echte Hollander
Dear forum,

A week or 2 ago a lot of queries came into this particular VPS and I wasn't bothered back then to read it, but I can definitely see something fishy going on with the queries killing themselves. I don't know how to interpret this though, or rather, what to do with it.

pastebin.com

Queries being killed - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
pastebin.com pastebin.com

All the connections are coming from a Microsoft IP address, and they also happened last week. My colleague hinted that it might be an Azure bot crawling our sites, completely locking us up twice in the past week. I've been thinking about blocking the IP address, but I'm undecissive if I don't know why it's going on like this. My question is: do I contact [email protected] for this or is there something else I should be doing instead?

Regards,

Patrick
 
Maybe other have some idea, but I would surely have a look at the apache-status page.
I always enable the extended logging in the httpd-info file and enable my ip so I can visit it.

And then you can visit it at:
same for server-info by the way. But in the server-status you can see what is visited/requested and by who. You can verify the ip's. If it's indeed a bot of Microsoft you might try to send them a mail.
 
Richard G said:
Maybe other have some idea, but I would surely have a look at the apache-status page.
I always enable the extended logging in the httpd-info file and enable my ip so I can visit it.

And then you can visit it at:
same for server-info by the way. But in the server-status you can see what is visited/requested and by who. You can verify the ip's. If it's indeed a bot of Microsoft you might try to send them a mail.
Click to expand...
I've contacted the Azure forum and I've got response from a Microsoft employee, and they'll look into it. It seems one of the IP addresses was indeed from an Azure IP address from the tool I got (Azure IP lookup)
 
Just block the IP's , have this lot of times with MS IP range, or (when using Wordpress) install wordfence plugin and throttle the maximum amount of connection per IP.
 
Active8 said:
Just block the IP's , have this lot of times with MS IP range, or (when using Wordpress) install wordfence plugin and throttle the maximum amount of connection per IP.
Click to expand...
Hmm. I have enabled the server-status earlier today, and about an hour ago, the load picked up again, with that same IP address in the Message Board with all of its connections. Here's the thing though: when looking at the server-status, it gives a whole array of different IP addresses, all visiting other sites across the VPS. I cannot block all of them obviously. Yes, sounds like a DDOS, but it seems to have commenced after the following line in my access_log appeared:

198.235.24.150 - - [14/Jun/2022:11:57:26 +0200] "GET / HTTP/1.1" 200 275 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: [email protected]"

My question becomes: how do I read the log correctly, along with the Message Board and the server-status?
edit: the same IP address from the pastebin appeared again on the Message Board
 
Is the attack coming from the same ASN number ? block the whole ASN with CSF

198.235.24.150 ASN396982 GOOGLE-CLOUD-PLATFORM 198.235.24.0/24
 
patrickkasie said:
My question becomes: how do I read the log correctly,
Click to expand...
It's normal that ou see a lot of ip's visiting, because multiple users will visit the various sites so it's always a question of having a good look.

Like @Active8 says, look for a load of entry's from the same ASN. Also check if there are multiple ip's with a very high number of request and cpu time compared to the others.
I mostly check if it's more than at least 7 ip's and then check with nslookup where they are coming from. But I only block those causing issues and those mostly have more than 20 entry's in the status.
 
Active8 said:
Is the attack coming from the same ASN number ? block the whole ASN with CSF

198.235.24.150 ASN396982 GOOGLE-CLOUD-PLATFORM 198.235.24.0/24
Click to expand...
Richard G said:
It's normal that ou see a lot of ip's visiting, because multiple users will visit the various sites so it's always a question of having a good look.

Like @Active8 says, look for a load of entry's from the same ASN. Also check if there are multiple ip's with a very high number of request and cpu time compared to the others.
I mostly check if it's more than at least 7 ip's and then check with nslookup where they are coming from. But I only block those causing issues and those mostly have more than 20 entry's in the status.
Click to expand...
Unfortunately, I'm not sure how to do either of your requests, and I'm not sure where to begin. I'm assuming it's System Administrator 101 stuff that I'm ought to know, but I've never been in touch with this stuff until I knew more about it. How do I do this?

CentOS 7

Kind regards
 
Hmmz... well.. some easy example.
2-5-0/0/210.0.005250101229540.00.002.8551.68.11.203http/1.1www.somedomain.nl:443POST /xmlrpc.php HTTP/1.1

I have to edit because otherwise I don't know how to get out of the table. :)

Anyway... what you see here is a Post to /xmlrpc.php which is in 99,9999% of the cases an attack.
Sometimes this happens with multiple ip's.

Behind the date is the cpu and request. Now if you see this ip 51.68.11.203 more often, check where it's coming from with nslookup.
Which is some OVH server. Servers of VPS systems are not normal home users and especially do not use that post xmlrpc.php command.

You can block that ip, or the complete range.
Check here for example:
cqcounter.com

cqcounter.com

IP address and domain name whois lookup, domain information, dns reports, reverse ip resolver, geo location map
cqcounter.com
or some other similar site.

You will see that it's OVH. And somewhere below you can find either the cidr or the cluster which is: 51.68.0.0/16 in this case.
So block that one in CSF.
 
You must log in or register to reply here.
Back
Top