Strange attack - offline for 5 hours

[RCK]

My server become crazy today at 16h00 (GMT+1).

I got a lot of fat SQL request (especially in HOL), who put down the mysql service and let Apache load the server average by waiting a response. I don't know if it's spider bot or human behavior.

I had to move out the trafic to IRC, then reboot the server to let mysql rebuild it's tables, then check the log, and verify everything was ok.

We are now online 5 hours after the beginning of incident, I will now closely monitor abime.net server and scan for those badass request.

Cheers,

[Joe Maroni]

however...thanks again for your effort that EAB is now running again....

[Retroplay]

For whoever is responsible.. I have a big barrel of tar and a big pile of feathers just waiting for you.

[diablothe2nd]

i had a 90 minute power cut today... had to mow the lawn and everything to suppress my EAB withdrawals! then get 10 minutes with the power on and EAB dies

s s s s ssoooooo soooooo cold

[scifi]

RCK I just realized that when I try to access hol.abime.net directly, there is a respond that this page is not found on the server.
On the other hand, if I try to access a sub directory for instance http://hol.abime.net/hol_stats.php, then it grants me access to it... what's going on?

I know that HOL is facing problems from yesterday afternoon and the same happens when you try to access http://eab.abime.net/ directly... I guess you did it on purpose to protect both of them from attacks, right?

Have you managed to resolve the problem so far?
If there was an attack I really don't understand why they got into so much trouble to do it... I hate that kind of behaviour!

[RCK]

If fact I feel it's spider bots who are jumping into all EAB and HOL's link they can found and put the mysql down.
I'm looking into MariaDB to replace Mysql, more robust now.

[scifi]

Good luck with that!
Exterminate those nasty spider bots!

[Merlin]

@ RCK

It may be an SQL injection attack (BlackHole exploit) designed to inject a JavaScript file that edits the root PHP files and adds an eval redirect - PHP/Kryptik.AB Trojan is one example. This edits the root PHP files on the server end (index.php mostly) and hides among the PHO files, so tracking the bugger down can be awkward. I suggest that you replace the main root PHP files with known good, write-protected backups if you can. The infected file might also be called sys_engine9181.php or similar. We finally identified the attack as an "Web Shell by oRb" backdoor script.

One symptom that you see is that the root of a site may be affected, but sub folders of the site work, when accessed via something such as Google. That hints at an infected index.php file. Scifi's comments above hint at something like this.

I hope that this is useful.

[RCK]

Hi Merlin,

I compared EAB and HOL files from my local dev station and the serveur files are the same.
No intrusion here

The more I check, the more I think all the problem was because of insane sql request.
MariaDB and a new HOL version for guest seems to be the way to follow

[RCK]

This time mysql 5.5 gone under huge load after 2 weeks without problem.
I will definitively move to MariaDB after more test on dev box.