INSERTions into ses table for unknown users [message #168060] |
Tue, 08 January 2013 12:00  |
 |
San ???????
Messages: 4 Registered: January 2013
Karma: 0
|
Junior Member |
add to buddy list ignore all messages by this user

|
|
Some time ago I discovered high load on my site server system caused by MySQL instance (about 50% of CPU time). I checked httpd load and found nothing serious (about 0.2 req/sec). Then I enabled query logging in MySQL and got lot of following lines:
...
1 Query INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('da44744b0744e7182e2d8e21bb2b4063', 1357649603, '', 2001593538)
1 Query INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('517bf2b9b646c2e48dbc28f996941b15', 1357649603, '', 2053834729)
1 Query INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('ecb78d35baa48deec43abf7d649ea7eb', 1357649603, '', 2055756004)
...
I checked users table against that IDs (user_id above) and found nothing - users table has no such IDs at all.
Is it normal? If no then how is that possible and what should I do to stop that?
Forum version 3.0.1, php version 5.3.17, MySQL version 5.0.84, server OS - Slackware Linux 13.0.
|
|
|
|
|
Re: INSERTions into ses table for unknown users [message #168063 is a reply to message #168062] |
Tue, 08 January 2013 20:33   |
 |
San ???????
Messages: 4 Registered: January 2013
Karma: 0
|
Junior Member |
add to buddy list ignore all messages by this user

|
|
It seems like I found a cause of the problem. There is session checking in index.php on every request and if client has no session cookie it created (for anonymous users too, in ses_anon_make()). The last could be used for DoS attack if client ignores forum cookie - that is why I'm having a lot of new lines in ses table for non-existing accounts. The code (from ses_anon_make()) gives me no chance in this case:
do {
$uid = 2000000000 + mt_rand(1, 147483647);
$ses_id = md5($uid . __request_timestamp__ . getmypid());
} while (!($id = db_li("INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('".$ses_id."', ".__request_timestamp__.", '".ses_make_sysid(). "', ".$uid.')', $ef, 1)));
Cyclic INSERTions to DB to get ID just brilliant. For crackers, of course... For example, my forum has about 6000 registered accounts and only few of them are really active, but my sesssion table file (MyISAM) takes about 2 GBytes on disk now and grows quickly.
|
|
|
Re: INSERTions into ses table for unknown users [message #168064 is a reply to message #168063] |
Tue, 08 January 2013 21:14   |
 |
San ???????
Messages: 4 Registered: January 2013
Karma: 0
|
Junior Member |
add to buddy list ignore all messages by this user

|
|
I applied following quick&dirty hack to prevent my site from that kind of attacks:
306c306
< do {
---
> /* do { */
307a308
> $id = $uid;
309c310
< } while (!($id = db_li("INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('".$ses_id."', ".__request_timestamp__.", '".ses_make_sysid()."', ".$uid.')', $ef, 1)));
---
> /* } while (!($id = db_li("INSERT INTO 2frmdb_ses (ses_id, time_sec, sys_id, user_id) VALUES ('".$ses_id."', ".__request_timestamp__.", '".ses_make_sysid()."', ".$uid.')', $ef, 1))); */
The problem is that ses_anon_make() declared in more than one place. Strange code organization, yes...
|
|
|
|
|
|