Hi Folks,
now I've got another riddle for you... ;-)
I have a pair of two Debian boxes acting as LAMP system; one is the web
server (Apache 1.3.29, mod_gzip/1.3.26.1a, PHP 4.3.8), the other one
act as the database server (MySQL 4.0.20-log - latest release from
backports.org). The servers are connected to each other via crossover
cable (2. network interface) and have their own little network
192.168.0.0. And, of course, they are connected to the internet. The
mysqld only listens to the internal network, this means only on
192.168.0.1 ("bind-address" directive).
Let's say the boxes' names are "myhostname" for the mysql server and
"other" for the web server. Now I get sometimes the following log
entries:
--------------------
This mail is sent by logcheck. If you do not want to receive it any
more, please modify the configuration files in /etc/logcheck or
deinstall logcheck.
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Sep 22 00:13:55 myhostname mysqld[224]: 040922 0:13:55 Aborted
connection 22958 to db: 'unconnected' user: 'root' host:
`other.host.name' (Got timeout reading communication packets)
Sep 22 00:15:07 myhostname mysqld[224]: 040922 0:15:07 Aborted
connection 23013 to db: 'mysql' user: 'root' host:
`other.host.name' (Got timeout reading communication packets)
Sep 22 00:16:42 myhostname mysqld[224]: 040922 0:16:42 Aborted
connection 22973 to db: 'fhauer_pre' user: 'root' host:
`other.host.name' (Got timeout reading communication packets)
Sep 22 00:20:47 myhostname mysqld[224]: 040922 0:20:47 Aborted
connection 23166 to db: 'fhauer_pre' user: 'root' host:
`other.host.name' (Got timeout reading communication packets)
Sep 22 00:22:12 myhostname mysqld[224]: 040922 0:22:12 Aborted
connection 22333 to db: 'fhauer_pre' user: 'root' host:
`other.host.name' (Got timeout reading communication packets)
Sep 22 00:22:36 myhostname mysqld[224]: 040922 0:22:36 Aborted
connection 23186 to db: 'fhauer_pre' user: 'root' host:
`other.host.name' (Got timeout reading communication packets)
Sep 22 00:25:14 myhostname mysqld[224]: 040922 0:25:14 Aborted
connection 22742 to db: 'fhauer' user: 'root' host:
`other.host.name' (Got timeout reading communication packets)
Sep 22 00:25:28 myhostname mysqld[224]: 040922 0:25:28 Aborted
connection 22967 to db: 'mysql' user: 'root' host:
`other.host.name' (Got timeout reading communication packets)
Sep 22 00:25:51 myhostname mysqld[224]: 040922 0:25:51 Aborted
connection 22331 to db: 'mysql' user: 'root' host:
`other.host.name' (Got timeout reading communication packets)
Sep 22 00:26:19 myhostname mysqld[224]: 040922 0:26:19 Aborted
connection 22364 to db: 'fhauer' user: 'root' host:
`other.host.name' (Got timeout reading communication packets)
-------------------------------------------------------
Of course, normal DB connections (DB queries for serving the public web
application) from other.host.name do NOT perform with "root" username!
I did not found any other suspect log entries, not in syslog, nor in the
webserver's access_log or error_log.
Everything else seems to be fine (also `netstat -lp`).
Now the questions are:
- Does anybody know what this means?
- As the logfile says, the connection attempt came from other.host.name
(which is in the 192.168.0.0 network), not from outside. Is this
possible without having cracked the other.host.name?
- Do I have to worry about this?
Have a nice day and many thanks in advance for any hint!
Andreas
--
procommerz - Internet fuer Unternehmen
www.procommerz.de | 033925-90710
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
