Possible Hacker?

I am guessing this is the best category for this.

So I am working on developing a Windows application that connects to a MySQL database on a server of mine.
To protect the MySQL from being hit in general I’ve got the following process setup.

  • Server has IPTables rule setup to block remote access to MySQL port.
  • Application launches a web request to a hidden URL that does the following:
    • Checks for unique HTTP headers
    • If unique HTTP headers are correct, adds client IP to a list
    • IPs in list have an IPTables allow access to MySQL rule created with another script on the server
  • Application can now communicate with MySQL

What is weird is that moments after of testing the app, I see a second from an unknown IP to the hidden URL perfectly mimicking the HTTP headers. If I change the URL and HTTP headers, and test, once again I get a mimicked request from an unknown IP.

Web server with hidden URL to grant MySQL access is running HTTPS and connection is made over HTTPS. I do not see any weird traffic from NETSTAT of open connections on the server possibly sending out traffic to 3rd party location for traffic spying. I haven’t done a running packet capture yet. I don’t see any unknown running processes on the server.

Here are a few of the IPs that mimicked the request:

I am getting mixed reviews about the google-proxy IPs, some say they are all internal servers and some say they can be used by public for proxying, but Google is not involved at all (no Google clients, no Google DNS, etc). The TOR and PIA VPN connections make me worry.

Any ideas of what is going on, or what to check? I would like to get this settled before putting sensitive info in the MySQL database. (These unknown IPs aren’t attempting to connect to MySQL…yet)

I have seen some weird things going on using Chrome involving Google Proxies. Is your application in any way using Chrome?

If this is happening as soon as you try to use your application, my knee-jerk reaction is that somehow your connection is being routed through one of these sources. I would check to see how you normally connect to sites and see if your traffic is always going via these routes or if they are normal.

I’m going to venture that the db server is hosted in a VPS provider (Linode, Vultr, GCloud, AWS, etc) and your WinApp is running on a physical machine (your dev box/laptop). The google-proxy hits are likely from GCloud/Compute instances running an auto “poke n see” probe, prolly the same from the PIA and Tor hits.

I would do two things if I was making this backend:

  1. Change the web service to provide a RESTFul API with an OSS auth lib

  2. Use a salted preshared token auth method

The days of relying on an unpublished URL are long gone, your domain has been prolly hammered since the day you put something on it (mine has been for years). To answer your question, though, yes this is some manner of automated recon before an attack. I’d go back and re-tool the API endpoint you’re exposing to be more secure.

Hope this helps, and sorry if I come off as rude - not meaning to be (I tend to get blunt when I’m in engineer mode).

I’m more than happy to answer any specific questions you have or help you come up with a more secure endpoint for your WinApp.

  • Steve

It’s running on one of VMs on one of my ESXi servers I have with HiVelocity.

I’m well aware of probing. But, a probe doesn’t know the non standard HTTP Headers I am sending, but these are mimicking mine exactly.

The web service is just to open up firewall access to MySQL, MySQL is secured and hardened and this is just to limit access to probing. The method you are saying would have no benefit because right now the web requests are being mimicked immediately and exactly. Something is reading traffic. I wouldn’t say this is regular probing at all. It is very targeted, I can change the access URL and immediately after my first legitimate request that URL is being hit and other URLs are not being requested by the unknown IPs.

I am looking for possible ideas to track down where this data is leaking because I’m not seeing anything odd on the client or the server and data is encrypted in between.

Nope. And my DNS is not Google’s DNS servers either so they aren’t getting the DNS request for the host either.

I am not seeing any issues with my route between client and server, nor do I use TOR or PIA VPN.

I think I have found the solution. Apparently some how the method I am sending the web request from my Windows App is having Google Chrome Extensions applied to it. After disabling my Chrome Extensions, no more unknown requests. So, it looks like no hacker in my systems.

2 Likes

I’m glad you were able to find the issue!

Regarding that, does anyone know why Chrome likes using proxies?

That’s great! Glad it was simple! Weird that you’d see a tor exit up hitting your server though. :thinking:

Google’s data collection. Why I do not use Chrome.