I'm a developer for a small website. There are 3 webservers (for load balancing) and a MySQL server.
Today the webservers seem to be down, and, unfortunately, I cannot get hold of the admin (he's in a different timezone, probably asleep). But I do have some elevated priviledges, so I can connect as a full-permission administrator to the MySQL server via PHPMyAdmin (which is running locally on the MySQL server).
Over there I see something odd in the SHOW PROCESSLIST
results. There are over 500 connections from "unauthenticated user" with the command "Connect". These connections are coming from two of the three webservers that we have (I think). Basically they're trying to connect, but not really connecting.
It's been like this for about 5 hours now. The MySQL server is happy with this and isn't even slowing down, which makes me wonder if this is an attack at all. Besides - if the attacker had control of the server, he could just find the relevant passwords in the PHP source code files.
So - is this an attack and is there something I can do about it until the admin arrives? (I do not have server root, just MySQL admin priviledges)
Update: I had written the username incorrectly. It's not "anonymous user", it's "unauthenticated user".
Update 2: OK, the admin just awoke. Thank you for your help!