When I check the mysql query logs on our BSD server, I see, repeated again and again:
-
111123 8:23:11 4478 Connect Access denied for user ‘Neohoo’@’localhost’ (using password: YES)
-
4479 Connect Access denied for user ‘root’@’localhost’ (using password: NO)
I shut off outside access by adding the skip-networking option and restarting mysql:
cat /etc/my.cnf
-
[mysqld]
-
// The MySQL server
-
skip-innodb
-
max_connections=30
-
skip-networking
-
set-variable=local-infile=0
And verified by:
telnet bsdServer.com 3306
telnet: Unable to connect to remote host
The MySql is used with a legacy PHP application. I considered it could be an SQL injection attack but I am at a loss to find which section of the program. The mysql query logs do not show an IP address or any more useful data.
Any suggestions appreciated.
But these users are connecting from localhost – i.e. not across the network.
Yes they do:
Some client running on the machine is trying to connect.
If this machine is running a PHP webserver, particularly one facing the internet, most likely have a PHP code injection issue. Try cross referencing the timestamps on the log entries with your webserver access_log. If you’ve got the mysql client available on the machine, ensure that your webserver uid can’t run it.