Hi,
I have an issue which I've had some trouble tracking down and wondered if anyone had an idea I hadn't thought of.
There are a large number of failed root login attempts constantly happening and being logged to the mysql error log:
2023-05-25 9:25:14 925220 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925221 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925222 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925223 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925224 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925225 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925226 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
This is pretty constant and is creating 200mb+ of logs a day, my guess is that this is an incorrectly configured client site as no password is being passed so doesn't appear to be hacking/brute force related and it's originating from localhost.
This is happening constantly so seems unrelated to cron.
I have tried grepping /home for "root" however this is not particularly viable, there are thousands of instances of this and even filtering them out it's not really tracking anything down.
tcpdump is no use afaik as mysql packets don't contain information about the source app.
Beyond bulk suspending accounts until this stops I'm not sure what else to do, any suggestions appreciated.
I have an issue which I've had some trouble tracking down and wondered if anyone had an idea I hadn't thought of.
There are a large number of failed root login attempts constantly happening and being logged to the mysql error log:
2023-05-25 9:25:14 925220 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925221 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925222 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925223 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925224 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925225 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925226 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
This is pretty constant and is creating 200mb+ of logs a day, my guess is that this is an incorrectly configured client site as no password is being passed so doesn't appear to be hacking/brute force related and it's originating from localhost.
This is happening constantly so seems unrelated to cron.
I have tried grepping /home for "root" however this is not particularly viable, there are thousands of instances of this and even filtering them out it's not really tracking anything down.
tcpdump is no use afaik as mysql packets don't contain information about the source app.
Beyond bulk suspending accounts until this stops I'm not sure what else to do, any suggestions appreciated.