I am guessing this is the best category for this.
So I am working on developing a Windows application that connects to a MySQL database on a server of mine.
To protect the MySQL from being hit in general I’ve got the following process setup.
- Server has IPTables rule setup to block remote access to MySQL port.
- Application launches a web request to a hidden URL that does the following:
- Checks for unique HTTP headers
- If unique HTTP headers are correct, adds client IP to a list
- IPs in list have an IPTables allow access to MySQL rule created with another script on the server
- Application can now communicate with MySQL
What is weird is that moments after of testing the app, I see a second from an unknown IP to the hidden URL perfectly mimicking the HTTP headers. If I change the URL and HTTP headers, and test, once again I get a mimicked request from an unknown IP.
Web server with hidden URL to grant MySQL access is running HTTPS and connection is made over HTTPS. I do not see any weird traffic from NETSTAT of open connections on the server possibly sending out traffic to 3rd party location for traffic spying. I haven’t done a running packet capture yet. I don’t see any unknown running processes on the server.
Here are a few of the IPs that mimicked the request:
- 18.104.22.168 (google-proxy-66-249-88-83.google.com)
- 22.214.171.124 (google-proxy-66-249-88-85.google.com)
- 126.96.36.199 (google-proxy-66-249-88-87.google.com)
- 188.8.131.52 (tor-exit1.sjc02.svwh.net)
- 184.108.40.206 (slc-exit.privateinternetaccess.com)
I am getting mixed reviews about the google-proxy IPs, some say they are all internal servers and some say they can be used by public for proxying, but Google is not involved at all (no Google clients, no Google DNS, etc). The TOR and PIA VPN connections make me worry.
Any ideas of what is going on, or what to check? I would like to get this settled before putting sensitive info in the MySQL database. (These unknown IPs aren’t attempting to connect to MySQL…yet)