Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - mixedtribute

Pages: [1]
1
MySQL / Re: phpMyAdmin Bruteforce From 127.0.0.1 ??
« on: December 23, 2022, 02:27:22 AM »
/usr/local/cwpsrv/conf/cwp_services.conf
/usr/local/cwpsrv/conf/cwpsrv.conf

I think these files will be reset with every CWP auto update. Double check to see if your edit is still there after an update. If it's not there anymore, you should look into another way of blocking these attempts WITHOUT editing CWP files.
Thank you for reminding me. When I make changes to system files I typically make the file immutable with chattr +i file but I forgot to do it this time and now you have reminded me  :D.

I advice taking a look into fail2ban and its filters or create a filter in fail2ban that works with these attempts. Fail2ban can be told to read a specific log file and take actions based on the activity going on there.
Remember to change fail2ban's ban method to (So it will work correctly in conjunction with CWP firewall manager):
I will look into it. Thank you!!

2
SSL / Re: SSL on Hostname
« on: December 17, 2022, 05:18:39 AM »
Make sure DNS is configured properly and then use Change Hostname feature.

Example:
Server1 = 123.0.0.4
vps1.mydomain.com = 123.0.0.4
MyDomain.com = 123.0.0.4

Make sure your DNS is configured correctly (vps1.mydomain.com -> 123.0.0.4 and mydomain.com -> 123.0.0.4)
For best results, also configure reverse DNS for your server IP (123.0.0.4 -> vps1.mydomain.com)

Now change hostname. This will update your SSL certificate from self-signed to "official" Let's Encrypt.
Note: you do not need to make the hostname different, you can keep the same hostname.. if your hostname is already "vps1.mydomain.com" you can still use "vps1.mydomain.com" again)
  • Log in to Server1 CWP via https://123.0.0.4:2087/
  • Use Server Settings - Change Hostname
  • Set New Hostname = vps1.mydomain.com
  • Set Key Size = 4096
  • Set checkmark for all boxes
  • Click Change Hostname

Now you can access https://vps1.mydomain.com without errors

3
Installation / Re: What distro to go for..
« on: December 17, 2022, 05:00:02 AM »
I chose AlmaLinux 8.7 and have been very happy with my choice.

I could be wrong, but I think AlmaLinux is maintained by a nonprofit org; Rocky Linux is maintained by a for-profit group. Make your choice. They are very similar.

4
Attacks are extremely common. The moment your server goes online you can expect to start receiving limitless non-stop attacks. Configure your firewall properly and make sure to keep your software up-to-date and you should be fine. Don't forget to use strong passwords.

5
MySQL / [SOLVED] Re: phpMyAdmin Bruteforce From 127.0.0.1 ??
« on: December 13, 2022, 06:29:21 AM »
I've put the following config into the http{} block of /usr/local/cwpsrv/conf/cwpsrv.conf
Code: [Select]
log_format pma '[$time_local] $remote_addr, $http_x_real_ip, $http_x_forwarded_for - "$request" ($status) "$http_user_agent"';
and the following config into the location /pma {} block of /usr/local/cwpsrv/conf/cwp_services.conf
Code: [Select]
access_log /usr/local/apache/domlogs/pma-access.log pma;
Note that I've added $http_x_real_ip to the log_format line as /etc/nginx/proxy.inc contains "proxy_set_header X-Real-IP $remote_addr;" and the connections are being proxied (ie: proxy_pass http://127.0.0.1:2031) via /etc/nginx/conf.d/<SERVERIP>.conf (which is why they are showing up as originating from 127.0.0.1 in /var/log/secure)

So now I have a log, specifically for PMA bruteforce attempts, containing the attacker's IP the next time it happens. I can then probably use LFD to automatically block the attack in realtime.

 :)

6
MySQL / Re: zero
« on: December 12, 2022, 12:34:05 PM »
Too small a community and too many forum sections / subsections, IMO.... But at the same time, I'm kind of surprised because CWP feels like it should be extremely popular. Although, maybe it is "extremely popular" and the majority of users just simply can't be assed to contribute?

7
MySQL / [SOLVED] Re: phpMyAdmin Bruteforce From 127.0.0.1 ??
« on: December 12, 2022, 05:08:38 AM »
The solution dawned on me today when I saw another attack... I found the attacker by cat'ing /usr/local/apache/domlogs/<server-ip>.log
They're using PMA (of course) but the IP is being reported as 127.0.0.1 because nginx is proxy_pass'ing the connection.

cat /usr/local/apache/domlogs/*.log | grep pma
Code: [Select]
...
93.86.160.221 - - [11/Dec/2022:23:56:17 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:17 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "POST /pma/index.php HTTP/1.1" 200 4798 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "POST /pma/index.php HTTP/1.1" 200 4796 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:18 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:19 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4677 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:19 -0500] "POST /pma/index.php HTTP/1.1" 200 4799 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:19 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:20 -0500] "POST /pma/index.php HTTP/1.1" 200 4795 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "POST /pma/index.php HTTP/1.1" 200 4797 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:21 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4677 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "POST /pma/index.php HTTP/1.1" 200 4796 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:22 -0500] "POST /pma/index.php HTTP/1.1" 200 4792 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4679 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "POST /pma/index.php HTTP/1.1" 200 4799 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:23 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4679 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:24 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4679 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "POST /pma/index.php HTTP/1.1" 200 4800 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4680 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "POST /pma/index.php HTTP/1.1" 200 4801 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
93.86.160.221 - - [11/Dec/2022:23:56:25 -0500] "GET /pma/index.php?lang=en HTTP/1.1" 200 4678 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
...

8
DNS Manager / Re: Slave DNS Server & Manager without ioncube to php7
« on: December 01, 2022, 11:53:05 AM »
bump

9
DNS Manager / Re: AXFR vulnerability/ restrict zone transfer
« on: December 01, 2022, 11:52:29 AM »
Hello,

What is best solution for fixing this?
Atm my named.conf for domain looks like this:

Code: [Select]
// zone domain.com
zone "domain.com" {type master; file "/var/named/domain.com.db";};
// zone_end domain.com

Does it need to look like this or is there any other solution?

Code: [Select]
acl trusted-servers  {
        ip1;  //ns1
       ip2;   //ns2
};
zone domain.com  {
        type master;
        file "/var/named/domain.com.db";
        allow-transfer { trusted-servers; };
};


Thank you in advance

Yes that looks correct to me. I have done similar in my slave DNS config:
Code: [Select]
options {
        allow-query     { any; };
recursion yes;
        /* mixedtribute - disable VERSION.BIND response
         * https://kb.isc.org/docs/aa-00359 */
        version none;

        /* Slave DNS Config :: https://wiki.centos-webpanel.com/slave-dns-server-manager-download-version */
        allow-transfer { DNSMASTERIP; };
        allow-recursion { DNSMASTERIP; };
        notify yes;
        also-notify { DNSMASTERIP; };
        masterfile-format text;
};

10
MySQL / phpMyAdmin Bruteforce From 127.0.0.1 ??
« on: September 30, 2022, 07:33:39 AM »
I have paid for 10x CWP Pro licenses and I am the only user of my servers but I occasionally see this in /var/log/secure:

Code: [Select]
....
Sep 29 06:04:27 tiberion phpMyAdmin[122141]: user denied: dev (mysql-denied) from 127.0.0.1
Sep 29 06:04:29 tiberion phpMyAdmin[122141]: user denied: blog (mysql-denied) from 127.0.0.1
Sep 29 06:04:30 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:31 tiberion phpMyAdmin[122141]: user denied: nas (mysql-denied) from 127.0.0.1
Sep 29 06:04:34 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:04:34 tiberion phpMyAdmin[122141]: user denied: root (empty-denied) from 127.0.0.1
Sep 29 06:04:35 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:36 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:36 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:37 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:39 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:40 tiberion phpMyAdmin[122141]: user denied: db (mysql-denied) from 127.0.0.1
Sep 29 06:04:54 tiberion phpMyAdmin[122141]: user denied: wordspress (mysql-denied) from 127.0.0.1
Sep 29 06:04:54 tiberion phpMyAdmin[122141]: user denied: shopdb (mysql-denied) from 127.0.0.1
Sep 29 06:04:55 tiberion phpMyAdmin[122141]: user denied: blog (mysql-denied) from 127.0.0.1
Sep 29 06:04:56 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:56 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:04:57 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:58 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:58 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:04:59 tiberion phpMyAdmin[122141]: user denied: database (mysql-denied) from 127.0.0.1
Sep 29 06:04:59 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:00 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:01 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:01 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:02 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:03 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:03 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:04 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:05 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:05 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:06 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:06 tiberion phpMyAdmin[122141]: user denied: pma (mysql-denied) from 127.0.0.1
Sep 29 06:05:07 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:08 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:08 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:09 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:10 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:10 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:11 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:12 tiberion phpMyAdmin[122141]: user denied: dbs (mysql-denied) from 127.0.0.1
Sep 29 06:05:12 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:05:13 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:14 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:14 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:15 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:15 tiberion phpMyAdmin[122141]: user denied: user (mysql-denied) from 127.0.0.1
Sep 29 06:05:16 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:17 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:17 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:18 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:19 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:19 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:20 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:21 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:21 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:22 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:22 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:23 tiberion phpMyAdmin[122141]: user denied: nas (mysql-denied) from 127.0.0.1
Sep 29 06:05:24 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:24 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:25 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:26 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:26 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:27 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:28 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:28 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:29 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:30 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:05:30 tiberion phpMyAdmin[122141]: user denied: wordpress (mysql-denied) from 127.0.0.1
Sep 29 06:05:31 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:31 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:32 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:33 tiberion phpMyAdmin[122141]: user denied: wp (mysql-denied) from 127.0.0.1
Sep 29 06:05:33 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:34 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:35 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:35 tiberion phpMyAdmin[122141]: user denied: dev (mysql-denied) from 127.0.0.1
Sep 29 06:05:36 tiberion phpMyAdmin[122141]: user denied: wp (mysql-denied) from 127.0.0.1
Sep 29 06:05:37 tiberion phpMyAdmin[122141]: user denied: shopdb (mysql-denied) from 127.0.0.1
Sep 29 06:05:37 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
Sep 29 06:05:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:38 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:39 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:40 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:40 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:41 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:42 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:42 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:43 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:44 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:44 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:45 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:45 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:46 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:47 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:47 tiberion phpMyAdmin[122141]: user denied: wp (mysql-denied) from 127.0.0.1
Sep 29 06:05:48 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:49 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:49 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:50 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:51 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:51 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:52 tiberion phpMyAdmin[122141]: user denied: sql (mysql-denied) from 127.0.0.1
Sep 29 06:05:53 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:53 tiberion phpMyAdmin[122141]: user denied: root (mysql-denied) from 127.0.0.1
Sep 29 06:05:54 tiberion phpMyAdmin[122141]: user denied: admin (mysql-denied) from 127.0.0.1
....

At first I thought my server may have been compromised, but I do not think it is compromised because I see these failed login attempts on all of my servers occasionally. I have recently re-installed CWP. My systems are fully up-to-date as well.... I do not have anyone else using my servers.

When I try to replicate the issue using incorrect password on https://tiberion.mydomain.com:2087/pma I see this:
Code: [Select]
Sep 30 02:25:41 tiberion phpMyAdmin[1199600]: user denied: root (mysql-denied) from X.X.X.XX.X.X.X is my home IP address .....

How am I seeing failed login attempts from 127.0.0.1?? I am the ONLY user of my servers, no customers, no one else uses the servers.

Pages: [1]