Many "Name or Service not known" RDNS entries in MySQL error log - how to trace

GrandAdmiral

Active Member
May 21, 2014
28
0
1
cPanel Access Level
Root Administrator
Hi all

We keep receiving the following errors in our MySQL error log:

2019-11-02 2:47:13 111377 [Warning] Host name 'X-X-X-X.example.in-addr.arpa' could not be resolved: Name or service not known
2019-11-02 3:27:48 113358 [Warning] IP address 'X.X.X.X' could not be resolved: Name or service not known
2019-11-02 8:50:09 147361 [Warning] IP address 'X.X.X.X' has been resolved to the host name 'X.X.X.X.example.com', which resembles IPv4-address itself.

Obviously this is due to MySQL attempting to perform a reverse lookup for a connection attempt, my query is how do we trace the source of these messages? I'm assuming a customer's site is compromised and it would be nice to be able to notify them.

I'm also concerned about any potential security ramifications, we have CSF enabled with port 3306 closed to the general public. I know there is an option to disable networking in MySQL completely, unfortunately we have to have this active and port 3306 accessible to our hosting providers internal network so their backup software can interface with MySQL. We're on a dedicated VLAN etc so it shouldn't be an issue from a security perspective but would be nice to confirm.

Any guidance greatly appreciated!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
If you thought that it was a compromise the IP address would be useful to utilize in researching the logs - specifically:

/var/log/messages
/etc/apache2/logs/domlogs/
/etc/apache2/logs/error_log
 

GrandAdmiral

Active Member
May 21, 2014
28
0
1
cPanel Access Level
Root Administrator
Hi Lauren

Other than some portscanning showing up in log/messages (blocked by CSF) there's nothing else of interest in those logs. Is there any way to monitor the source of these types of queries via MySQL?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
The access logs would give you detail on what they're accessing, as far as with MySQL - if there is a specific query/process occurring the following would tell you MySQL :: MySQL 5.7 Reference Manual :: 13.7.5.29 SHOW PROCESSLIST Syntax it's real-time

I would be concerned that you don't have MySQL port 3306 locked down to outside requests properly if this continues to occur though.