Tracking down mysql root login attempts

Operating System & Version
CL6
cPanel & WHM Version
110

volex

Member
PartnerNOC
Feb 5, 2008
20
10
53
cPanel Access Level
DataCenter Provider
Hi,

I have an issue which I've had some trouble tracking down and wondered if anyone had an idea I hadn't thought of.

There are a large number of failed root login attempts constantly happening and being logged to the mysql error log:

2023-05-25 9:25:14 925220 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925221 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925222 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925223 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925224 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925225 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
2023-05-25 9:25:14 925226 [Warning] Access denied for user 'root'@'localhost' (using password: NO)

This is pretty constant and is creating 200mb+ of logs a day, my guess is that this is an incorrectly configured client site as no password is being passed so doesn't appear to be hacking/brute force related and it's originating from localhost.

This is happening constantly so seems unrelated to cron.

I have tried grepping /home for "root" however this is not particularly viable, there are thousands of instances of this and even filtering them out it's not really tracking anything down.

tcpdump is no use afaik as mysql packets don't contain information about the source app.

Beyond bulk suspending accounts until this stops I'm not sure what else to do, any suggestions appreciated.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,470
2,843
363
cPanel Access Level
Root Administrator
Hey there! Since this seems to be happening multiple times a second, you could try temporarily enabled the general query log:


Based on what you're describing, that log ought to catch the offending call within a few minutes, then you can shut it off. You don't want to leave this running too long as it will write a LOT of data in a very short time, so if you're seeing this failed login every second I would expect a minute or two to be more than enough to get the data.