store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Sep 30, 2014 9:49 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: Access denied for user 'apache'@'localhost' (using password:
Unread postPosted: Tue Mar 12, 2013 12:28 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 644
Hi,

Just recently I started getting thousands of ossec emails about this:

Quote:
OSSEC HIDS Notification.
2013 Mar 11 20:40:15

Received From: myserverX ->/var/log/mysqld.log
Rule: 50106 fired (level 9) -> "Database authentication failure."
Portion of the log(s):

MySQL log: 130311 20:40:15 [Warning] Access denied for user 'apache'@'localhost' (using password: NO)

--END OF NOTIFICATION


I am guessing this is a fairly new alert type as they all just started accross the entire environment all at once, but is a good visibility into an existing problem. The question is, how do I figure out who is doing it? On a server with thousands of domains I dont really have a good way of looking for this. I though I could do a series of Greps to look for apache and localhost in the same files or lines but that may not even be present.

Any ideas?


Top
 Profile  
 
 Post subject: Re: Access denied for user 'apache'@'localhost' (using passw
Unread postPosted: Tue Mar 12, 2013 12:50 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 447
Location: Netherlands
Background info: Authentication failures in MySQL are logged if you have set "log-warnings=2" in /etc/my.cnf. Since one of the recent ASL updates this is also something "asl -s -f" checks for.

I don't believe you can easily find out which script is responsible for these connections. "apache@localhost" suggests that it is a website script that has not set any credentials, and automatically uses the system user ('apache') and localhost for attempting to make a connection. If you see patterns in the times it might be caused by a cronjob or periodically retrieved page. If a website script is responsible for these connections, and they happen multiple times, you might also find this out by finding comparing access/error logs with some grep voodoo.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: Access denied for user 'apache'@'localhost' (using passw
Unread postPosted: Tue Mar 12, 2013 1:03 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7910
Location: earth
You have no idea how many broken apps we've been catching with this.


Top
 Profile  
 
 Post subject: Re: Access denied for user 'apache'@'localhost' (using passw
Unread postPosted: Tue Mar 12, 2013 1:09 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 447
Location: Netherlands
For PHP websites, grep the error logs for "mysql_connect(): Access denied" and the likes.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: Access denied for user 'apache'@'localhost' (using passw
Unread postPosted: Tue Mar 12, 2013 4:23 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 644
Scanning the individual error_logs for the domains doesn't yield anything at all.

I turned on error logging in php.ini and set it to a file that I created and so far the only thing it has caught is PHP Deprecated messages, even though I am still getting the mysql emails from ossec.


Top
 Profile  
 
 Post subject: Re: Access denied for user 'apache'@'localhost' (using passw
Unread postPosted: Tue Mar 12, 2013 6:17 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Mar 19, 2008 10:22 pm
Posts: 111
I'm getting bombarded with these as well. I still haven't found the source.


Top
 Profile  
 
 Post subject: Re: Access denied for user 'apache'@'localhost' (using passw
Unread postPosted: Wed Mar 13, 2013 11:29 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 644
Just wanted to say I finally found it, I had forgotten to change the servers error reporting to have warnings which is what would be reported in this case. Once I did that it was immediately obvious since it was happening about 20 times per minute throughout the day :)

Quote:
[13-Mar-2013 08:25:32 America/Los_Angeles] PHP Warning: mysql_query() [<a href='function.mysql-query'>function.mysql-query</a>]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/domain.com/httpdocs/file.php on line 17



php settings
Quote:
error_reporting = E_ALL
display_errors = On
display_startup_errors = On
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
error_log = /var/log/php_errors


and of course
Quote:
rm -Rf /var/log/php_errors
touch /var/log/php_errors
chmod 777 /var/log/php_errors


and then sit back and wait


Top
 Profile  
 
 Post subject: Re: Access denied for user 'apache'@'localhost' (using passw
Unread postPosted: Wed Mar 13, 2013 11:32 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 447
Location: Netherlands
It appears you are using Plesk. This means that PHP errors are logged correctly by default to the domains error_log. I am not sure why you manually had to create a log file and alter PHP settings, but this does not fit within a standard setup.

To clarify: for other users with a standard Plesk setup: no configuration action is needed from your end, just check the error_log files.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: Access denied for user 'apache'@'localhost' (using passw
Unread postPosted: Wed Mar 13, 2013 11:38 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 644
Yes, I use plesk and no nothing was logged to the domains error log as I previously mentioned. These steps were necessary for me to find the culprit. If other users dont need to do these steps to find the person then thats great, they probably wont be looking for how to find them. if they do need to, thats why I posted the steps.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group