Tracking logins to MySQL, potential breach

[GoWilkes]

I've had 21 instances of 11 existing users having an unauthorized login from a specific non-US IP address, starting on January 15.

At first I thought they might be using the same VPN software or something, but twice the user tried to submit obvious spam through a form. That makes me concerned that a hacker was able to obtain their password.

I track logins to the accounts that are done via PHP, and I can see that the IP was, in fact, logging in through PHP. So if I'm correct then they somehow accessed the password, then used it to go to my PHP script to log in.

What I DON'T know, though, is whether they somehow logged in to my MySQL and used that to read their password.

I see a lot of this in the mysqld.log:

2023-01-28  4:23:22 32700448 [Warning] Hostname 'zg-1220c-53.stretchoid.com' does not resolve to '198.199.98.137'.
2023-01-28  4:23:22 32700448 [Note] Hostname 'zg-1220c-53.stretchoid.com' has the following IP addresses:
2023-01-28  4:23:22 32700448 [Note]  - 127.0.0.1
2023-01-28  4:55:12 32727354 [Warning] IP address '45.93.201.88' could not be resolved: Name or service not known
2023-01-28  5:58:05 32780544 [Warning] Hostname 'zg-1220f-107.stretchoid.com' does not resolve to '107.170.254.16'.
2023-01-28  5:58:05 32780544 [Note] Hostname 'zg-1220f-107.stretchoid.com' has the following IP addresses:
2023-01-28  5:58:05 32780544 [Note]  - 127.0.0.1
2023-01-28  7:08:50 32844389 [Warning] IP address '219.141.208.101' could not be resolved: Name or service not known
2023-01-28 11:09:00 33084352 [Warning] IP address '137.184.104.164' could not be resolved: Name or service not known
2023-01-28 11:42:03 33118752 [Warning] IP address '205.210.31.57' could not be resolved: Name or service not known
2023-01-28 12:50:13 33185320 [Warning] IP address '185.167.97.38' could not be resolved: Name or service not known

That LOOKS like failed login attempts, but where can I find successful login attempts?

 

[GoWilkes]

Sorry for 1000 edits on the previous post, I kept getting an error from the forum. Apparently you can't post "var" following by "log" :-/

 

[rbairwell]

It seems you have MySQL open to the entire world. This is a security issue as it allows password guessing etc. I would suggest either entirely firewalling it off and changing /etc/my.cnf to only allow localhost/127.0.0.1 access or set your firewall rules up so only specific external addresses can access MySQL directly.

 

[cPRex]

I'm not finding any successful logins to the MySQL service when I do a "mysql -u username -p" type of login from the command line, so it looks like those may not be tracked. From what I'm seeing, you would have to enable the General log to see this, which logs EVERYTHING and can take up a lot of space quickly.

 

[GoWilkes]

That's unfortunate, @cPRex :-/

@rbairwell, how do you suggest that I tighten it up? I'm using CSF and it looks like the default setting enables ST_MYSQL_USER and ST_MYSQL_HOST to restrict access to "localhost". And I double checked, in WHM there's nothing under "Additional MySQL Access Hosts".

 

[quietFinn]

ST_MYSQL_USER

Those settings in CSF are for CSF's Statistics.
If you don't want to allow MySQL connections from outside your server you can close TCP port 3306, and in /etc/my.cnf have line: bind-address=127.0.0.1
(I like to wear a belt and braces)

 

[GoWilkes]

Is there a way to close the port within WHM, separate from the firewall?

I occasionally have to disable the firewall (like when a hosting client is working with an international customer, or a good user is accidentally blocked and I'm trying to track it down), so I'd rather use the firewall as a backup plan rather than the primary.

 

[quietFinn]

If you have port 3306 open but have line: bind-address=127.0.0.1 in /etc/my.cnf, then anyone can connect to port 3306, but MySQL is not listening in that port.
Well, more precisely, MySQL IS listening in port 3306 but only in address 127.0.0.1.