0

Asking a question to you guys :

I have my MysqlLogs with 200 000 + [Note] Access denied for user 'root'@'122.224.33.184' (using password: YES)

With multiple Usernames ( Magento / root / Admin / user / developper /dev etc... )

enter image description here

the pick goes from 0 to 11K connection in Database ( that make the site ULTRA SLO you can't buy anythings )

What do you think ? I have a e-commerce Website with 200 000 users Is this just a robot scanning or a targeted Attack (for BlackFriday maybe)?

We are on amazon lightsail ( private database) , Wordpress front ( don't judge me )

Ggs
  • 181
  • 15
  • 3
    Your database is exposed to the internet, since there are login attempts from a public internet address. You should change your security group(s) so that you only allow access to your RDS host from your web server. Unfortunately I can't help you with lightsail on how to do that. – Tasos P. Nov 28 '19 at 09:51
  • That's the problem, my Db is in a security group with only lightsail access ... So i guess the wordpress is vulnerable, and give access to the database ... – Ggs Nov 28 '19 at 10:07
  • Please double check your SG. Assuming the IP you mention is the actual one from your logs, the attempts originate in [China](https://www.ipaddress.com/ipv4/122.224.33.184). I believe that AWS has no Lightsail deployments in that region. – Tasos P. Nov 28 '19 at 10:09
  • Doublechecked, "public mode desactivated, only lightsail in the same region can access " ... i still don't anderstand how this is possible... – Ggs Nov 28 '19 at 10:14
  • 1
    If I were you, I would change all passwords (admin/web-app etc) using a password generator (i.e. 100+ bits) and then open an urgent ticket to AWS to address this. – Tasos P. Nov 28 '19 at 10:24
  • I already did that :) was the first things to do, now it seems likes it's Okay, but ... still thinking this was an attack. – Ggs Nov 28 '19 at 11:40

0 Answers0