SOLVED Suggestions for tracking down failed login attemps?

MichaelRHMW

Member
Nov 8, 2020
6
1
3
Australia
cPanel Access Level
Root Administrator
Hi There,


This isn't so much an issue, as it is more me just looking for suggestions on how to find the cause of this.
I'm getting a number of failed MySQL logins on a cPanel/WHM server.

2020-11-09 15:38:01 11718 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-09 15:39:01 11855 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-09 15:40:01 12036 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-09 15:41:01 12279 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-09 15:42:01 12519 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)

However MySQL isn't open to the public, so I suspect this to be either a script running on the server or an application like Wordpress, that hasn't been configured properly/to completion.

However also looking at the timestamps, suggests to me that it is something that has been setup as a cron.

I've tried using find/grep to see if I could find any wp-config.php files with 'admin' defined as the DB user, however that didn't return anything helpful.

Just wondering what suggestions anyone might have.

Thanks.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
2,316
308
213
cPanel Access Level
Root Administrator
It definitely looks like a cron with those timestamps every minute.

What about checking /var/log/cron to see what runs every minute? Since it seems to be consistent enough, that may be a good place to check and see if tht gives you more data.
 

MichaelRHMW

Member
Nov 8, 2020
6
1
3
Australia
cPanel Access Level
Root Administrator
Hi cPRex,

Thanks for the suggestion, this looks promising.

[[email protected] ~]# tail /var/lib/mysql/server.err
2020-11-10 7:44:01 192518 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:45:02 192759 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:46:01 193057 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:47:01 193257 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:48:01 193484 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:49:02 193765 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:50:02 193972 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)
2020-11-10 7:51:01 194212 [Warning] Access denied for user 'admin'@'localhost' (using password: NO)

[[email protected] ~]# cat /var/log/cron | grep "Nov 10 07:51"
Nov 10 07:51:01 acp1 CROND[65647]: (root) CMD (/usr/lib64/nagios/plugins/bc/bc_mysqladmin_version.sh > /dev/null 2>&1)
Nov 10 07:51:01 acp1 CROND[65648]: (root) CMD (/usr/lib64/nagios/plugins/bc/bc_mysqladmin_version_plesk.sh > /dev/null 2>&1)

[[email protected] ~]# cat /usr/lib64/nagios/plugins/bc/bc_mysqladmin_version_plesk.sh | grep "admin"
mysqladmin -uadmin -p`cat /etc/psa/.psa.shadow` version > /usr/lib64/nagios/plugins/bc/bc_mysqladmin_version.txt;

[[email protected] ~]#

Also, /etc/psa/.psa.shadow doesn't exist.

I'll report back further.
 

MichaelRHMW

Member
Nov 8, 2020
6
1
3
Australia
cPanel Access Level
Root Administrator
UPDATE:

Yes, it was indeed coming from /usr/lib64/nagios/plugins/bc/bc_mysqladmin_version_plesk.sh which being for Plesk doesn't accurately apply to cPanel/WHM.
In particular I guess the /etc/psa/.psa.shadow file doesn't exist and so it returns empty/null? and that lines up with no password being attempted for a MySQL user of admin (which also doesn't exist)

Thanks cPRex