We noticed earlier high load and I/O on some servers and attempted unsuccessfully to block the UA.
That's SQL, someone's trying (and from the urls I've check this morning but not in depth failing) to do an SQL injection attack.
I see entries straight from midnight for the IP, ending 16:47:44 on mw5. Mitigations were merged to puppet @ ~16:40 - A grep for "SELECT" shows the same picture.
Current additional mitigations are:
- Connections without a UserAgent or where UA = - are being 403'd
- A temporary hack has been introduced to phabricator to allow OAUTH to work and use a valid UA.