0

I have a server with MySQL database which is accessible by WordPress. In every 1-2 seconds I see the following in MySQL error.log

[Note] Access denied for user 'root'@'localhost'

There is no password attempt involved as I see it, but my root user has password set.

I am guessing this is some kind of brute force attack. The problem is that I cant figure out which service or script is trying this? My WordPress installation is not using root as user, and from what I saw in one plugin that may be susceptible to it, all SQL queries are in prepared statements.

I have tried tcpdump to sniff packets sent to local port on 3306 but it gave me nothing. How can I find which service or script is trying to access it? Thanks a lot.

Aleksandar Andrijevic
  • 1

2 Answers2

0

"localhost" implies a "socket" connection, no TCP/IP involved, hence tcpdump is useless. The presumed hacker has already logged into your server.

Case 1, some program on your machine: ps ("task manager") lists all the programs. "lsof" is another tool. (Neither of these is very practical since they both give huge lists.)

Case 2, an outside hacker: Look for logins. Look for shell scripts running in ps. Meanwhile, add/strengthen all logins to the machine.

Rick James
  • 2,058
  • 5
  • 11
  • The only user logged in (I check in with `who -H`) is my own, so I doubt they got access. `/var/log/auth.log` is not showing any users except mine that I should consider danger. And I changed my password, but still it happens. – Aleksandar Andrijevic Mar 31 '21 at 18:35
  • @AleksandarAndrijevic - A hacker will login, try to access the database, and logout in only a fraction of a second. Don't expect them to wait around until you catch them. – Rick James Mar 31 '21 at 18:46
  • Check the rest of the logins -- root, admin, and various admin-like "users" supporting various apps. But don't blindly change passwords of logins you don't understand; you could break apps. – Rick James Mar 31 '21 at 18:46
  • I will try to first disable for a minute Apache server for WP, to check if there are maybe some script injection taking place that can cause this. Then I will check logins. Thanks. – Aleksandar Andrijevic Mar 31 '21 at 20:10
  • I disabled Apache service for 1-2 minutes and entries in error log for MySQL stopped. So I better check my instance of WordPress to see if there is some script wrong. – Aleksandar Andrijevic Apr 02 '21 at 08:07
  • @AleksandarAndrijevic - Good. When you get more details, I suggest you write a Question about it, then Answer your own question with what you found. (Yes, self-answered questions are acceptable.) – Rick James Apr 02 '21 at 17:30
0

The problem was not an WordPress instance, but another folder. In there was a valid script for forum which on old platform used root user, for unknown reason.

Changed user and now is OK. Thanks for all your help :)

Aleksandar Andrijevic
  • 1