- Joined
- Sep 8, 2011
- Messages
- 601
- Reaction score
- 168
A few days ago we began to receive attacks on our server.
It started with one IP attacking repeatedly by trying to POST gold through our vote script, they were blocked with htaccess.
This IP was evident in its intentions with all POST logs showing in apache logs, and was able to be blocked successfully.
However the problem persists with authd logs showing two accounts are pushing gold through at a phenomenal rate...how i dont know.
The apache access logs show no IP POST..???
The vote script has been disabled but still it persists.
How are they doing this...ive spent 2 days trying all sorts of ideas but i cannot stop this intrusion.
The offending accounts 6016 and 5200 have been deleted from PW database and the vote script disabled but still it persists.
Still the authd logs show these two accounts pushing gold through.
Even when the server is down these 2 accounts are active...however obviously the gold is not being pushed through but the logs still show evidence of something trying to push this through.
just a snippet, but as you can see these two accounts are pushing tons of gold through.
Apache access logs shows no logs/ip for offending accounts...very odd.
Id like to be able to at least block these entries and at the most put a stop to it...but first i must understand how this is happening.
So that is my question...how is this able to be pushed through?
Edit: Im fairly sure this attack is executed by a script of some sort as it is continuous.
When the server is down this behaviour persists however authd logs show only
without the
Which says to me it is a script of some sort that is hammering away at the server.
The sad thing is it is lagging out the genuine users who vote.
If i could understand how this is being executed then maybe it is able to be stopped.
I have so many questions...is it a script?, do they know my database password perhaps?
Is it a sql injection? How are they POSTing without apache showing this.
Any suggestions or help to illuminate would be greatly appreciated.
It started with one IP attacking repeatedly by trying to POST gold through our vote script, they were blocked with htaccess.
This IP was evident in its intentions with all POST logs showing in apache logs, and was able to be blocked successfully.
However the problem persists with authd logs showing two accounts are pushing gold through at a phenomenal rate...how i dont know.
The apache access logs show no IP POST..???
The vote script has been disabled but still it persists.
How are they doing this...ive spent 2 days trying all sorts of ideas but i cannot stop this intrusion.
The offending accounts 6016 and 5200 have been deleted from PW database and the vote script disabled but still it persists.
Still the authd logs show these two accounts pushing gold through.
Even when the server is down these 2 accounts are active...however obviously the gold is not being pushed through but the logs still show evidence of something trying to push this through.
Code:
gauthd: 22 Oct 2012 07:39:41,401 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12897
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:41,404 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12897
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:41,404 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:39:46,400 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10131,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:46,402 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=5200,zoneid=1,sn=9632
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:46,405 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=5200,zoneid=1,sn=9632
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:46,406 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=5200,zoneid=1
gauthd: 22 Oct 2012 07:39:51,401 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=5200,zoneid=1,sn=-586,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:51,404 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12898
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:51,406 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12898
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:51,407 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:39:56,403 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10130,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:56,405 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12899
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:56,407 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12899
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:56,408 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:40:01,404 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10129,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:01,406 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=5200,zoneid=1,sn=9633
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:01,409 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=5200,zoneid=1,sn=9633
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:01,410 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=5200,zoneid=1
gauthd: 22 Oct 2012 07:40:06,406 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=5200,zoneid=1,sn=-584,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:06,408 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12900
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:06,411 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12900
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:06,411 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:40:11,407 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10128,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:11,409 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12901
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:11,412 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12901
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:11,413 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:40:16,408 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10127,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:16,410 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=5200,zoneid=1,sn=9634
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:16,413 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=5200,zoneid=1,sn=9634
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:16,414 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=5200,zoneid=1
gauthd: 22 Oct 2012 07:40:21,410 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=5200,zoneid=1,sn=-583,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:21,412 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12902
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:21,414 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12902
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:21,415 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
Prepare procedure call:{call recordoffline(?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:24,300 INFO GAuthServer:? - UserLogout::User 6192 logout successfully.
gauthd: 22 Oct 2012 07:40:26,411 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10126,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:26,413 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12903
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:26,416 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12903
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:26,417 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:40:31,413 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10125,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:31,415 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12904
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:31,417 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12904
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:31,418 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
Prepare procedure call:{call recordoffline(?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:31,601 INFO GAuthServer:? - UserLogout::User 6096 logout successfully.
gauthd: 22 Oct 2012 07:40:36,414 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10124,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:36,416 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12905
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:36,419 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12905
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:36,420 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:40:41,415 INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10123,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:41,418 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=5200,zoneid=1,sn=9635
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:41,420 INFO GAuthServer:? - AddCash_Re: retcode=0,userid=5200,zoneid=1,sn=9635
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:41,421 INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=5200,zoneid=1
just a snippet, but as you can see these two accounts are pushing tons of gold through.
Apache access logs shows no logs/ip for offending accounts...very odd.
Id like to be able to at least block these entries and at the most put a stop to it...but first i must understand how this is happening.
So that is my question...how is this able to be pushed through?
Edit: Im fairly sure this attack is executed by a script of some sort as it is continuous.
When the server is down this behaviour persists however authd logs show only
Code:
"gauthd: 22 Oct 2012 07:39:41,401 INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12897"
Code:
"Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}"
The sad thing is it is lagging out the genuine users who vote.
If i could understand how this is being executed then maybe it is able to be stopped.
I have so many questions...is it a script?, do they know my database password perhaps?
Is it a sql injection? How are they POSTing without apache showing this.
Any suggestions or help to illuminate would be greatly appreciated.
Last edited: