English Amiga Board


Go Back   English Amiga Board > abime.net - Home Projects > project.EAB

 
 
Thread Tools
Old 27 June 2013, 21:28   #1
RCK
Administrator

RCK's Avatar
 
Join Date: Feb 2001
Location: Paris / France
Age: 41
Posts: 2,944
Post Strange attack - offline for 5 hours

My server become crazy today at 16h00 (GMT+1).

I got a lot of fat SQL request (especially in HOL), who put down the mysql service and let Apache load the server average by waiting a response. I don't know if it's spider bot or human behavior.

I had to move out the trafic to IRC, then reboot the server to let mysql rebuild it's tables, then check the log, and verify everything was ok.

We are now online 5 hours after the beginning of incident, I will now closely monitor abime.net server and scan for those badass request.

Cheers,
RCK is offline  
Old 27 June 2013, 21:31   #2
Joe Maroni
Moderator

Joe Maroni's Avatar
 
Join Date: Feb 2003
Location: Germany
Age: 40
Posts: 1,300
Send a message via MSN to Joe Maroni
however...thanks again for your effort that EAB is now running again....
Joe Maroni is offline  
Old 27 June 2013, 21:31   #3
Retroplay
Lemon Curry ?

Retroplay's Avatar
 
Join Date: Sep 2004
Location: Denmark
Age: 45
Posts: 3,368
For whoever is responsible.. I have a big barrel of tar and a big pile of feathers just waiting for you.
Retroplay is offline  
Old 27 June 2013, 22:09   #4
diablothe2nd
Registered User

diablothe2nd's Avatar
 
Join Date: Dec 2011
Location: Northampton, UK
Age: 37
Posts: 1,232
i had a 90 minute power cut today... had to mow the lawn and everything to suppress my EAB withdrawals! then get 10 minutes with the power on and EAB dies

s s s s ssoooooo soooooo cold
diablothe2nd is offline  
Old 28 June 2013, 05:22   #5
scifi
Resurrected...
scifi's Avatar
 
Join Date: Sep 2001
Location: Athens/Greece
Age: 46
Posts: 255
RCK I just realized that when I try to access hol.abime.net directly, there is a respond that this page is not found on the server.
On the other hand, if I try to access a sub directory for instance http://hol.abime.net/hol_stats.php, then it grants me access to it... what's going on?

I know that HOL is facing problems from yesterday afternoon and the same happens when you try to access http://eab.abime.net/ directly... I guess you did it on purpose to protect both of them from attacks, right?

Have you managed to resolve the problem so far?
If there was an attack I really don't understand why they got into so much trouble to do it... I hate that kind of behaviour!
scifi is offline  
Old 28 June 2013, 13:42   #6
RCK
Administrator

RCK's Avatar
 
Join Date: Feb 2001
Location: Paris / France
Age: 41
Posts: 2,944
If fact I feel it's spider bots who are jumping into all EAB and HOL's link they can found and put the mysql down.
I'm looking into MariaDB to replace Mysql, more robust now.
RCK is offline  
Old 28 June 2013, 15:13   #7
scifi
Resurrected...
scifi's Avatar
 
Join Date: Sep 2001
Location: Athens/Greece
Age: 46
Posts: 255
Good luck with that!
Exterminate those nasty spider bots!
scifi is offline  
Old 28 June 2013, 18:32   #8
Merlin
AmiBay MegaMod
Merlin's Avatar
 
Join Date: Mar 2007
Location: Manchester, UK
Age: 57
Posts: 1,163
@ RCK

It may be an SQL injection attack (BlackHole exploit) designed to inject a JavaScript file that edits the root PHP files and adds an eval redirect - PHP/Kryptik.AB Trojan is one example. This edits the root PHP files on the server end (index.php mostly) and hides among the PHO files, so tracking the bugger down can be awkward. I suggest that you replace the main root PHP files with known good, write-protected backups if you can. The infected file might also be called sys_engine9181.php or similar. We finally identified the attack as an "Web Shell by oRb" backdoor script.

One symptom that you see is that the root of a site may be affected, but sub folders of the site work, when accessed via something such as Google. That hints at an infected index.php file. Scifi's comments above hint at something like this.

I hope that this is useful.
Merlin is offline  
Old 28 June 2013, 18:59   #9
RCK
Administrator

RCK's Avatar
 
Join Date: Feb 2001
Location: Paris / France
Age: 41
Posts: 2,944
Hi Merlin,

I compared EAB and HOL files from my local dev station and the serveur files are the same.
No intrusion here

The more I check, the more I think all the problem was because of insane sql request.
MariaDB and a new HOL version for guest seems to be the way to follow
RCK is offline  
Old 14 July 2013, 16:40   #10
RCK
Administrator

RCK's Avatar
 
Join Date: Feb 2001
Location: Paris / France
Age: 41
Posts: 2,944
This time mysql 5.5 gone under huge load after 2 weeks without problem.
I will definitively move to MariaDB after more test on dev box.
RCK is offline  
 


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Similar Threads
Thread Thread Starter Forum Replies Last Post
Bitworld Offline ? sjakie43 Amiga websites reviews 14 04 August 2010 12:49
A1200 : green screen , but OK after 6 hours iggydix support.Hardware 1 20 August 2008 16:02
Offline? Eclipse project.ClassicWB 2 08 August 2008 18:49
Unsual Case of Dr. Strange / Return of Doctor Strange killergorilla HOL contributions 1 12 July 2007 16:08
YOU HAVE 2 HOURS TO LIVE!! So what Amiga game ya gonna play? Dastardly Retrogaming General Discussion 45 31 December 2002 14:22

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 18:10.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.
Page generated in 0.07237 seconds with 13 queries