Mysql – xenforo vulnerability, limit max open connections by ip address

MySQL

Trying to get some emergency help because my website is being attacked. It isn't as much as an actual attack, as it is a small bot to exploit xenforo vulnerability.

https://xenforo.com/community/threads/mysql-attack.89082

That's a link to the original problem. I thought this was the best place to ask so I will ask here as well.
Here is proof that this is an actual attack.

https://xenforo.com/community/proxy.php?image=http%3A%2F%2Fi.gyazo.com%2F893d37afef44ba7372a55ad415af1974.png&hash=8e44a697e4ff7fbcbd80840d4a781d90

This is the error that the website gives me

Zend_Db_Adapter_Mysqli_Exception: Too many connections - library/Zend/Db/Adapter/Mysqli.php:333
Generated By: Unknown Account, Today at 7:26 AM
Stack Trace
#0 /home/squadcra/public_html/library/Zend/Db/Adapter/Abstract.php(315): Zend_Db_Adapter_Mysqli->_connect()
#1 /home/squadcra/public_html/library/XenForo/Application.php(719): Zend_Db_Adapter_Abstract->getConnection()
#2 [internal function]: XenForo_Application->loadDb(Object(Zend_Config))
#3 /home/squadcra/public_html/library/XenForo/Application.php(960): call_user_func_array(Array, Array)
#4 /home/squadcra/public_html/library/XenForo/Application.php(991): XenForo_Application->lazyLoad('db', NULL)
#5 /home/squadcra/public_html/library/XenForo/Application.php(1561): XenForo_Application::get('db')
#6 /home/squadcra/public_html/library/XenForo/Model.php(161): XenForo_Application::getDb()
#7 /home/squadcra/public_html/library/XenForo/Model/DataRegistry.php(138): XenForo_Model->_getDb()
#8 /home/squadcra/public_html/library/XenForo/Model/DataRegistry.php(97): XenForo_Model_DataRegistry->_getMultiFromDb(Array)
#9 /home/squadcra/public_html/library/XenForo/Dependencies/Abstract.php(147): XenForo_Model_DataRegistry->getMulti(Array)
#10 /home/squadcra/public_html/library/XenForo/FrontController.php(127): XenForo_Dependencies_Abstract->preLoadData()
#11 /home/squadcra/public_html/index.php(13): XenForo_FrontController->run()
#12 {main}
Request State
array(3) {
["url"] => string(22) "http://squadcraft.net/"
["_GET"] => array(0) {
}
["_POST"] => array(0) {
}
}

I think this is an exploit where he has a bot that spam opens mysql connections, or just opens and holds open mysql connections. I don't know I'm not an expert. Anyway I need to limit the maximum number of open connections per ip address.

Best Answer

I have an old post from March 2012 that limits a specific user's connections by the hour

How can I limit MySQL connections?

You also need to remove anonymous users : Cannot drop anonymous user from mysql.user

Get rid of test user access : MySQL : Why are there "test" entries in mysql.db?

Get rid of all users with no password with

DELETE FROM mysql.user WHERE password='';
FLUSH PRIVILEGES;

You could add a blanket rule on a specific IP addr (like 10.20.30.40)

INSERT INTO mysql.user SET
user='',host='10.20.30.40',
max_user_connections = 1,
max_connections = 1;
FLUSH PRIVILEGES;

Give Them a Try !!!

Related Question