SOLVED Suggestions for tracking down failed login attemps?

[MichaelRHMW]

Hi There,


This isn't so much an issue, as it is more me just looking for suggestions on how to find the cause of this.
I'm getting a number of failed MySQL logins on a cPanel/WHM server.

2020-11-09 15:38:01 11718 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-09 15:39:01 11855 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-09 15:40:01 12036 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-09 15:41:01 12279 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-09 15:42:01 12519 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)

However MySQL isn't open to the public, so I suspect this to be either a script running on the server or an application like Wordpress, that hasn't been configured properly/to completion.

However also looking at the timestamps, suggests to me that it is something that has been setup as a cron.

I've tried using find/grep to see if I could find any wp-config.php files with 'admin' defined as the DB user, however that didn't return anything helpful.

Just wondering what suggestions anyone might have.

Thanks.

 

[cPRex]

It definitely looks like a cron with those timestamps every minute.

What about checking /var/log/cron to see what runs every minute? Since it seems to be consistent enough, that may be a good place to check and see if tht gives you more data.

 

[MichaelRHMW]

Hi cPRex,

Thanks for the suggestion, this looks promising.

[[email protected] ~]# tail /var/lib/mysql/server.err
2020-11-10 7:44:01 192518 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:45:02 192759 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:46:01 193057 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:47:01 193257 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:48:01 193484 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:49:02 193765 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:50:02 193972 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:51:01 194212 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)

[[email protected] ~]# cat /var/log/cron | grep "Nov 10 07:51"
Nov 10 07:51:01 acp1 CROND[65647]: (root) CMD (/usr/lib64/nagios/plugins/bc/bc_mysqladmin_version.sh > /dev/null 2>&1)
Nov 10 07:51:01 acp1 CROND[65648]: (root) CMD (/usr/lib64/nagios/plugins/bc/bc_mysqladmin_version_plesk.sh > /dev/null 2>&1)

[[email protected] ~]# cat /usr/lib64/nagios/plugins/bc/bc_mysqladmin_version_plesk.sh | grep "admin"
mysqladmin -uadmin -p`cat /etc/psa/.psa.shadow` version > /usr/lib64/nagios/plugins/bc/bc_mysqladmin_version.txt;

[[email protected] ~]#

Also, /etc/psa/.psa.shadow doesn't exist.

I'll report back further.

 

[cPRex]

That does look like progress!

 

[MichaelRHMW]

UPDATE:

Yes, it was indeed coming from /usr/lib64/nagios/plugins/bc/bc_mysqladmin_version_plesk.sh which being for Plesk doesn't accurately apply to cPanel/WHM.
In particular I guess the /etc/psa/.psa.shadow file doesn't exist and so it returns empty/null? and that lines up with no password being attempted for a MySQL user of admin (which also doesn't exist)

Thanks cPRex

 

[cPRex]

Great - glad you tracked that down! The files not existing in cPanel would definitely be an issue, as Plesk uses a different set of configuration data, with the .psa.shadow file being similar to our /root/.my.cnf.