Results 1 to 13 of 13

Thread: Can't find which user/process is doing login attempts

  1. #1
    Join Date
    May 2008
    Location
    Bulgaria
    Posts
    946

    Can't find which user/process is doing login attempts

    I am on MariaDB 10.4, but this is a long running issue from a very long time ago.

    Every day in intervals between few minutes I see these entries in the BruteForce Monitor:

    Code:
    15676386600000	localhost		1	mysql1	2019-09-05 2:10:24 72774529 [Warning] Access denied for user ''@'localhost' (using password: NO)
    15676386600001	localhost		1	mysql1	2019-09-05 2:10:24 72774530 [Warning] Access denied for user ''@'localhost' (using password: NO)
    15676386600002	localhost		1	mysql1	2019-09-05 2:10:24 72774531 [Warning] Access denied for user ''@'localhost' (using password: NO)
    15676386600003	localhost		1	mysql1	2019-09-05 2:10:24 72774532 [Warning] Access denied for user ''@'localhost' (using password: NO)
    15676386600004	localhost		1	mysql1	2019-09-05 2:10:24 72774533 [Warning] Access denied for user ''@'localhost' (using password: NO)
    15676386600005	localhost		1	mysql1	2019-09-05 2:10:24 72774534 [Warning] Access denied for user ''@'localhost' (using password: NO)
    15676386600006	localhost		1	mysql1	2019-09-05 2:10:24 72774535 [Warning] Access denied for user ''@'localhost' (using password: NO)
    15676386600007	localhost		1	mysql1	2019-09-05 2:10:24 72774536 [Warning] Access denied for user ''@'localhost' (using password: NO)
    That's not a Brute Force obviously - it's not a password cracking attempt as they are not using any password. The problem is that it does not log the user who made the attempt - it's a localhost but all users are there of course

    The MySQL error log from which the BruteForce Monitor is fetching the data is not helpful too:

    Code:
    2019-09-09  2:06:27 86934155 [Warning] Access denied for user ''@'localhost' (using password: NO)
    2019-09-09  2:06:27 86934156 [Warning] Access denied for user ''@'localhost' (using password: NO)
    2019-09-09  2:06:27 86934157 [Warning] Access denied for user ''@'localhost' (using password: NO)
    2019-09-09  2:06:27 86934158 [Warning] Access denied for user ''@'localhost' (using password: NO)
    2019-09-09  2:06:27 86934159 [Warning] Access denied for user ''@'localhost' (using password: NO)
    2019-09-09  2:06:27 86934160 [Warning] Access denied for user ''@'localhost' (using password: NO)
    2019-09-09  2:06:27 86934161 [Warning] Access denied for user ''@'localhost' (using password: NO)
    2019-09-09  2:06:27 86934162 [Warning] Access denied for user ''@'localhost' (using password: NO)
    (or one of the particulars from above):

    Code:
    root@srv2:/etc # grep "72774529" /usr/local/mysql/data/<SERVERHOSTNAME>.err
    2019-09-05  2:10:24 72774529 [Warning] Access denied for user ''@'localhost' (using password: NO)
    I tried looking at the PHP error logs with:

    Code:
    cd /var/log/httpd/domains
    grep "Access denied" *
    or even by date/time for specific entry:

    Code:
    grep "Mon Sep 09 02:06" *.error.log
    but did not find anything suspicious there. At this point I tend to think that it's not a PHP script from user who is doing this but something else.

    How do I find at least which process is doing this?
    Last edited by wattie; 09-08-2019 at 06:26 PM.

  2. #2
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    4,090
    Cool! Same question over here. How can one find an abusing script? Or something else?

    In my case exactly every 5 minutes:
    Code:
    2019-09-07 22:35:02 140514955360000 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
    2019-09-07 22:40:02 140523749037824 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
    2019-09-07 22:45:01 140515089577728 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
    Would also like to know how to investigate and find such cause.
    Greetings, Richard.

  3. #3
    Join Date
    May 2008
    Location
    Bulgaria
    Posts
    946
    Quote Originally Posted by Richard G View Post
    In my case exactly every 5 minutes
    Your case looks suspiciously close to my case with the OS difference (I am on FreeBSD). I don't think it's a script. I think it's some daemon which is not configured and it tries passwordless login.

  4. #4
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    4,090
    I was also thinking of this, since I created a .my.cnf in /root and still the same log occured. Very curious finding this out.
    Greetings, Richard.

  5. #5
    Join Date
    Apr 2009
    Posts
    2,393
    I wattie case, maybe it could just be a user that uploaded all the files for a CMS, but did not bother to finish the installation and left it without filling in the database details in a php file? Then this could occur every time someone visit the site?

  6. #6
    Join Date
    May 2008
    Location
    Bulgaria
    Posts
    946
    I don't think so. There are too many database hits and they are regularly appearing in few minutes intervals. It's like a cron schedule... but not exactly

  7. #7
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    4,090
    You could check Roundcube logs (or whatever webmail you got), maybe they are automated brutefoces on webmail of some kind? Since I see a whole bunch of them on the same exact time and even second.
    Greetings, Richard.

  8. #8
    Join Date
    May 2008
    Location
    Bulgaria
    Posts
    946
    Nothing in the roundcube logs.

    But here is something I fount - SquirrelMail configuration has an option "Database" in the menu:

    Code:
    # cd /var/www/html/squirrelmail/
    # ./configure
    SquirrelMail Configuration : Read: config.php
    Config version 1.4.0; SquirrelMail version 1.4.23 [SVN]
    ---------------------------------------------------------
    Main Menu --
    1.  Organization Preferences
    2.  Server Settings
    3.  Folder Defaults
    4.  General Options
    5.  Themes
    6.  Address Books
    7.  Message of the Day (MOTD)
    8.  Plugins
    9.  Database
    10. Languages
    
    D.  Set pre-defined settings for specific IMAP servers
    
    C   Turn color on
    S   Save data
    Q   Quit
    and when I go to "Database', there are "DSN" entries (data source name?) which are empty:

    Code:
    SquirrelMail Configuration : Read: config.php
    Config version 1.4.0; SquirrelMail version 1.4.23 [SVN]
    ---------------------------------------------------------
    Database
    1.  DSN for Address Book   :
    2.  Table for Address Book : address
    
    3.  DSN for Preferences    :
    4.  Table for Preferences  : userprefs
    5.  Field for username     : user
    6.  Field for prefs key    : prefkey
    7.  Field for prefs value  : prefval
    
    8.  DSN for Global Address Book            :
    9.  Table for Global Address Book          : global_abook
    10. Allow writing into Global Address Book : false
    11. Allow listing of Global Address Book   : false
    
    R   Return to Main Menu
    C   Turn color on
    S   Save data
    Q   Quit
    I am not confident that this is used at all and it is the one causing issues. Just guessing at this point. I will read about it later today.

  9. #9
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,598
    Can it be the same case: https://forum.directadmin.com/showthread.php?t=56411

    As for SquirrelMail, it by default does not use SQL at all on DirectAdmin servers.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  10. #10
    Join Date
    May 2008
    Location
    Bulgaria
    Posts
    946
    Quote Originally Posted by zEitEr View Post
    Yes but this time there is nothing in the php logs... I didn't find anything suspicious from there.

  11. #11
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    4,090
    In my case the error introduced after migrating to PHP 7.2.
    How did you fix it in your case Alex? It seems solved in my case after a conversion to MariaDB, I only see it now once on restarting mariadb.
    Greetings, Richard.

  12. #12
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,598
    Well, too much time passed since that... So I guess... See https://www.php.net/manual/en/functi...ape-string.php the mysql_real_escape_string() is included into an extension which was deprecated in PHP 5.5.0 and removed in PHP 7.0.0. So I believe a PHP version for an user's domain has been downgraded to 5.6.x. That's the most likely solution I used for the case.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  13. #13
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    4,090
    Thank you Alex.
    In that case it's probably not what I am/was experiencing. If it happens again I will use the find command. Didn't think of that before either.
    Greetings, Richard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •