0

I'm a developer for a small website. There are 3 webservers (for load balancing) and a MySQL server.

Today the webservers seem to be down, and, unfortunately, I cannot get hold of the admin (he's in a different timezone, probably asleep). But I do have some elevated priviledges, so I can connect as a full-permission administrator to the MySQL server via PHPMyAdmin (which is running locally on the MySQL server).

Over there I see something odd in the SHOW PROCESSLIST results. There are over 500 connections from "unauthenticated user" with the command "Connect". These connections are coming from two of the three webservers that we have (I think). Basically they're trying to connect, but not really connecting.

It's been like this for about 5 hours now. The MySQL server is happy with this and isn't even slowing down, which makes me wonder if this is an attack at all. Besides - if the attacker had control of the server, he could just find the relevant passwords in the PHP source code files.

So - is this an attack and is there something I can do about it until the admin arrives? (I do not have server root, just MySQL admin priviledges)

Update: I had written the username incorrectly. It's not "anonymous user", it's "unauthenticated user".

Update 2: OK, the admin just awoke. Thank you for your help!

Vilx-
  • 998
  • 2
  • 7
  • 15
  • Vilx - was there a security issue? If so it would be useful to add an answer if you can, detailing the issue. Thanks. – Rory Alsop Mar 09 '13 at 12:16
  • @RoryAlsop - Ahh, no. :P Apparently there was some issue with DNS servers that the admin reconfigured the night before (which only surfaced two hours after he was asleep already). I'm still not clear on all the details. Anyways... if you could delete this question, it'd be great. Thanks! :) – Vilx- Mar 09 '13 at 12:58

3 Answers3

1

MySQL includes an anonymous user account that allows anyone to connect into the MySQL server without having a user account. This is meant only for testing, and should be removed before the database server is put into a production environment.

If configured correctly, the MySQL server shouldn't even be reachable by IP's other than the web front-ends (aside: if it's a small site, why do you need so many servers?).

This is more likely to be a configuration/code issue than a security issue. In any case, my advice would be to try to gather and document as much information (

  • What makes you think the connections are from the web front ends?
  • Which databases is the user accessing?
  • What queries are running?
  • Which IP are the connections coming from?

) as you can about what's going on with the system, and continue trying to wake your admin.

GBC
  • 696
  • 3
  • 10
  • I guess I was unclear in my original post. The IP addresses are the ones of the web frontends. There are NO queries running, except the phpMyAdmin I'm using. The connections are not established (I think), because they are not connected to any databases, and they are not running any queries. – Vilx- Mar 08 '13 at 13:35
  • Oh, and the website is small compared to enterprise-y websites. :) All in all there are around 20K pageviews every day. – Vilx- Mar 08 '13 at 13:37
  • Oops, pardon, it's an "unauthenticated user", not "anonymous user". – Vilx- Mar 08 '13 at 14:11
1

The anonymous user is probably being used by the website application to access the back-end database, in which case each of the 500 connections probably represents an individual web connection to the site. If the website is small, 500 simultaneous connections could be enough to bring it down, so it may indicate a Denial of Service condition. This may be an attack, or it may be due to your site being unexpectedly popular

The fact is that unless you have some sort of baseline you cannot really tell whether 500 connections is normal or abnormal, so there's simply no way to answer this question 100%.

An action to take away from this would be to start collecting metrics such as site connections, SQL connections, etc so you know what is normal and what is not.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • I've occasionally watched the same process log, but this is different. For one thing, the website uses usernames and passwords, not anonymous logins. In fact, there is no anonymous user as far as I can tell. Secondly, the normal load is at most half this, if not less. But since these connections aren't doing anything, they aren't giving any load to the server either. – Vilx- Mar 08 '13 at 14:07
  • Could be that your DB is directly web accessible, which is bad. Or it could be that the front end web app has been hacked and there's other software running on it, which is also bad. It could also be a change the developer made, and never told you. – GdD Mar 08 '13 at 14:09
  • Oops, it's "unauthenticated user", not "anonymous user". Sorry for the confusion. Also - I'm the only developer there. And the DB cannot be accessed directly from outside (those IP addresses are from the webservers). – Vilx- Mar 08 '13 at 14:11
1

I don't know what's causing this - there have been some suggestions from other users, but if I were you I'd start by looking at the origin of this traffic - what's the client (I mean the program on the web server machine - not the host)? Is it doig something it should attempt or have you got a vulnerability? What's happenning with he traffic profile on the webservers? Have you run an IDS sweep on the webserver files?

symcbean
  • 18,278
  • 39
  • 73