Related

Product Now Available: Managed MySQL Databases Product
Install MySQL on New Droplet Question Question
How can I solve error "SQLSTATE[HY000] [2002] Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)" Question Question

Question

IP addresses in MySQL logs

Posted June 5, 2020 143 views
MySQL

While going through the MySQL logs from a DO instance, I found the following entries:

2020-06-04T08:14:44.965714Z 2 [Warning] Hostname 'rnd.group-ib.ru' does not resolve to '80.82.70.118'.
2020-06-04T08:14:44.965862Z 2 [Note] Hostname 'rnd.group-ib.ru' has the following IP addresses:
2020-06-04T08:14:44.965873Z 2 [Note]  - 5.9.185.30
2020-06-04T14:20:41.322359Z 3 [Warning] Host name 'zg-0428c-606.stretchoid.com' could not be resolved: Name or service not known

I have never seen this before. Could this be a potential security concern?

Add a comment
AGhafoori
By:
AGhafoori
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers
KFSys June 5, 2020

Hi @AGhafoori,

Hmm this does look troubling. Usually, this doesn’t give out IP addresses unless specifically told so. I’ll recommend to check your whole log and see if these IP addresses occur on other lines of the log.

Additionally, you can try and enable a MySQL option which shows what command the IP Address has executed. To accomplish it, just enable the general logs in MySQL. To enable it you can follow different ways.

Put this in my.cnf file of your MySQL:

general-log=1

After that, restart MySQL server and it will start logging everything in the log file.

You can start the MySQL server with this variable at command line --general_log and it will also start creating the log file.

These logs will have all the information regarding who connected to your server and what all commands they used or executed.

Regards,
KDSys

Reply Report
AGhafoori June 5, 2020

Hello @KDSys,

Thanks for the suggestions. I’ll treat the server as compromised and proceed to change my keys, password etc.

Reply Report
  • KFSys June 9, 2020

    That would be the most sensible option yes.

    Another thing I would suggest you to run is to check if any important files have been changed recently. Just in case. Having said that, this is related only to MySQL so maybe you should check your data in the databases rather than the whole server.

    Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help