What is this interesting user in the MySQL users? I deleted it immediately because I never allowed super users.
Hi dss
Please can I ask where you saw it and on which db ie ver 4 or ver 5
I’ll check my test server and let you know
Many thanks
John
In the users of localhost databases (Not the IW’s)
version: 5.1.73
Hi dss
Sorry, I cannot see sneaky or any user with grant except root and iWorx.
I checked on 2 different servers, test and production.
Did you take note of the db it was associated with, and have you checked your MySQL logs for any help in identifying when it was created.
I hope that helps and thanks for the early heads up
Many thanks
John
Fortunately, only one account uses mysql database (every other uses postgresql). I didn’t find information in log file. Is there any logfile in addition to /var/log/mysqld.log?
Hi dss
To be honest, I’m not to sure and it’s late here, sorry just going to have a long cold beer
I’ll check tommorow though, as we have hundreds of db, and users, so I’ll check a few user accounts to see what rights have been assign, as all I did was check for grant right.
It is strange though
Many thanks
Johnp
Thank you very much! As I remember, I used mysql on 8th Januar last time, the user created thereafter.
I think I follow you, I have beer in my fridge 
Hi dss
I hope you enjoyed your beer
I have checked some users at random and all looks good with no superuser accounts.
I do not think there are any logs apart from the MySQL log created in /var/log but I could be wrong sorry.
I was thinking though, to create a superuser account, you would need to do this from root or the master MySQL user, so I would advise you to change your master MySQL password immediately. Nodeworx, server settings, MySQL, overview and change MySQL password.
It might also be a good idea to change the root password and any other superuser Linux password.
I’m sure you have done this already, but it strange how you had an MySQL user created or upgraded to superuser.
Lastly, have you rkhunter installed and maldetect
I hope that helps a little, but as I said, I’m sure you have taken appropriate steps
Many thanks
John
Hi John,
I didn’t find any other logfile. Yes, I changed the passwords yesterday. Maldet is running in every 10 minuter. We dont’t host joomla, wordpress or any popular cms and as I said, only a very small account (200MB) uses MySQL to store and edit “static” content with ckeditor.
I’ll install rkhunter later today. I think, I’ll write a small code to send alert if superuser created.
UPDATE:
rkhunter and maldet didn’t find anything (Only ClamAV-Test-Files).
I would be so worried if that happened to me… It sounds like someone had added it manually. which makes you wonder how or why?
I don’t know. My passwords are 50 char long, hard to crack. I added only one user manually (with minimal rights) and there is an other user made from SiteWorx. As I wrote, only one account uses mysql. rkhunter and maldet didn’t find anything.
The most annoying that I can’t find anything.
What do you think, is it possible to reach other services with a superuser account?
Hi dss
To upgrade/change a MySQL user, needs to be completed after going into MySQL ie logging in as MySQL - MySQL -u -p I believe anyway.
If access to this account only has been compromises, I think you maybe alright.
If root access has been compromised, I think it is very bad, and could have created or changed things incase it’s uncovered and found compromised, to give access back to them.
I do not think MySQL account is the same as root account on server for system wide access, and MySQL user is only for MySQL
I know the commands are in history after ssh and can be viewed, also I think can be viewed from nodeworx, but I would need to look where to remember. This may help a little.
On your passwords, Evanion I think posted over lengths of passwords, and best advise is to keep them to an odd number,due to how there attempted to be broken.
Many thanks
John
Fortunately, it’s a very fresh system, installed on 25th October.
In the 1st step I always change the SSH port immediately (and block 22). As I mentioned, my passwords are strong, 50 character, random. After finishing the recovery, I always install BFD with very strict rules, ban after 2 mistake. Maldet is running in cron in every 10 minutes. Now checked with rkhunter too.
I checked the ssh history, every command made by me. Root logins only made by me and my vps (I checked the logwatch logs).
On this server are only 3 account. One is my own, uses pgsql, prepared statements. One is my friend’s, static. One is my customer’s who has MySQL db. (Earlier I hosted my father’s page, made by me, used prepared statements of course).
So it’s look like only mysql was compromised, if it was compromised… I don’t find any evidence, I hope I’m only stupid and don’t remember what I did
[QUOTE=dss;27014]Fortunately, it’s a very fresh system, installed on 25th October.
In the 1st step I always change the SSH port immediately (and block 22). As I mentioned, my passwords are strong, 50 character, random. After finishing the recovery, I always install BFD with very strict rules, ban after 2 mistake. Maldet is running in cron in every 10 minutes. Now checked with rkhunter too.
I checked the ssh history, every command made by me. Root logins only made by me and my vps (I checked the logwatch logs).
On this server are only 3 account. One is my own, uses pgsql, prepared statements. One is my friend’s, static. One is my customer’s who has MySQL db. (Earlier I hosted my father’s page, made by me, used prepared statements of course).
So it’s look like only mysql was compromised, if it was compromised… I don’t find any evidence, I hope I’m only stupid and don’t remember what I did
[/QUOTE]
Are you running Centos 6. or another version or something which uses that or even adds it?
It’s Centos 6, always up to date.
I made an automatic Joomla installation for a test domain with SimpleScripts, after changing mod_php to suphp. It was alive only an hour. I don’t think the user was made by it.
Before it I installed Linode’s Longview, created a mylsq user with minimal rights for it. At this time a played in MySQL with copy-pasted queries, but I should remember if I made user with super rights.
It’s sure nobody logged in via SSH except me.
[QUOTE=dss;27016]It’s Centos 6, always up to date.
I made an automatic Joomla installation for a test domain with SimpleScripts, after changing mod_php to suphp. It was alive only an hour. I don’t think the user was made by it.
Before it I installed Linode’s Longview, created a mylsq user with minimal rights for it. At this time a played in MySQL with copy-pasted queries, but I should remember if I made user with super rights.
It’s sure nobody logged in via SSH except me.[/QUOTE]
That’s mega weird the mysql ghost :s
I thought I was going mad, i had that user appear and not sure how either
I setup a new server with centos 6.6 start of new year, installed interworx everything locked down etc and imported sites from old server,
went into phpmyadmin to check databases and users and noticed sneaky user.
could not find how or were this user had been added, deleted user and changed all passwords and scanned server but nothing showed.
did get a screen capture before deleting
The situation was the same here! I don’t have any idea how could it happen.
Oh I have them too so it’s not an attack but wonder why :s
I don’t have idea, but a superuser without password is very strange and dangerous.