skip to Main Content

Using AWS Linux 2, on my wp site this error "Error establishing a database connection", I believe I was hacked via the wp blog page and the entire site is disabled. Using MySQL:

$ sudo systemctl start mysqld
Job for mysqld.service failed because the control process exited with error code. See "systemctl status mysqld.service" and "journalctl -xe" for details.

At first didn’t realize that I needed to run those two commands in the CLI. Here is the output for systemctl status mysqld.service -l:

$ systemctl status mysqld.service -l
● mysqld.service - MySQL Server
   Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2022-02-13 21:00:30 UTC; 6h ago
     Docs: man:mysqld(8)
           http://dev.mysql.com/doc/refman/en/using-systemd.html
  Process: 19959 ExecStart=/usr/sbin/mysqld $MYSQLD_OPTS (code=exited, status=1/FAILURE)
  Process: 19926 ExecStartPre=/usr/bin/mysqld_pre_systemd (code=exited, status=0/SUCCESS)
 Main PID: 19959 (code=exited, status=1/FAILURE)
   Status: "Server startup in progress"
    Error: 13 (Permission denied)

Feb 13 21:00:30 ip-172-31-91-154.ec2.internal mysqld[19959]: 2022-02-13T21:00:30.730728Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.28) starting as process 19959
Feb 13 21:00:30 ip-172-31-91-154.ec2.internal mysqld[19959]: 2022-02-13T21:00:30.734108Z 0 [Warning] [MY-010091] [Server] Can't create test file /var/lib/mysql/mysqld_tmp_file_case_insensitive_test.lower-test
Feb 13 21:00:30 ip-172-31-91-154.ec2.internal mysqld[19959]: 2022-02-13T21:00:30.734121Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /var/lib/mysql/ is case insensitive
Feb 13 21:00:30 ip-172-31-91-154.ec2.internal mysqld[19959]: 2022-02-13T21:00:30.734720Z 0 [ERROR] [MY-010187] [Server] Could not open file '/var/log/mysqld.log' for error logging: Permission denied
Feb 13 21:00:30 ip-172-31-91-154.ec2.internal mysqld[19959]: 2022-02-13T21:00:30.736749Z 0 [ERROR] [MY-010119] [Server] Aborting
Feb 13 21:00:30 ip-172-31-91-154.ec2.internal mysqld[19959]: 2022-02-13T21:00:30.736912Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.28)  MySQL Community Server - GPL.
Feb 13 21:00:30 ip-172-31-91-154.ec2.internal systemd[1]: mysqld.service: main process exited, code=exited, status=1/FAILURE
Feb 13 21:00:30 ip-172-31-91-154.ec2.internal systemd[1]: Failed to start MySQL Server.
Feb 13 21:00:30 ip-172-31-91-154.ec2.internal systemd[1]: Unit mysqld.service entered failed state.
Feb 13 21:00:30 ip-172-31-91-154.ec2.internal systemd[1]: mysqld.service failed.

and running journalctl -xe -l:

Feb 14 03:17:27 ip-172-31-91-154.ec2.internal sshd[29726]: Excess permission or bad ownership on file /var/lo
Feb 14 03:17:27 ip-172-31-91-154.ec2.internal sshd[29726]: Received disconnect from 81.70.242.147 port 43604:
Feb 14 03:17:27 ip-172-31-91-154.ec2.internal sshd[29726]: Disconnected from 81.70.242.147 port 43604 [preaut
Feb 14 03:17:41 ip-172-31-91-154.ec2.internal sshd[29728]: Connection closed by 104.243.26.5 port 46890 [prea
Feb 14 03:18:06 ip-172-31-91-154.ec2.internal sshd[29730]: Invalid user yw from 82.196.5.221 port 47008
Feb 14 03:18:06 ip-172-31-91-154.ec2.internal sshd[29730]: Excess permission or bad ownership on file /var/lo
Feb 14 03:18:06 ip-172-31-91-154.ec2.internal sshd[29730]: input_userauth_request: invalid user yw [preauth]
Feb 14 03:18:06 ip-172-31-91-154.ec2.internal sshd[29730]: pam_unix(sshd:auth): check pass; user unknown
Feb 14 03:18:06 ip-172-31-91-154.ec2.internal sshd[29730]: pam_unix(sshd:auth): authentication failure; logna
Feb 14 03:18:08 ip-172-31-91-154.ec2.internal sshd[29730]: Failed password for invalid user yw from 82.196.5.
Feb 14 03:18:08 ip-172-31-91-154.ec2.internal sshd[29730]: Excess permission or bad ownership on file /var/lo
Feb 14 03:18:08 ip-172-31-91-154.ec2.internal sshd[29730]: Received disconnect from 82.196.5.221 port 47008:1
Feb 14 03:18:08 ip-172-31-91-154.ec2.internal sshd[29730]: Disconnected from 82.196.5.221 port 47008 [preauth
Feb 14 03:18:15 ip-172-31-91-154.ec2.internal sshd[29732]: Invalid user server from 120.53.121.152 port 59070
Feb 14 03:18:15 ip-172-31-91-154.ec2.internal sshd[29732]: Excess permission or bad ownership on file /var/lo
Feb 14 03:18:15 ip-172-31-91-154.ec2.internal sshd[29732]: input_userauth_request: invalid user server [preau
Feb 14 03:18:15 ip-172-31-91-154.ec2.internal sshd[29732]: pam_unix(sshd:auth): check pass; user unknown
Feb 14 03:18:15 ip-172-31-91-154.ec2.internal sshd[29732]: pam_unix(sshd:auth): authentication failure; logna
Feb 14 03:18:18 ip-172-31-91-154.ec2.internal sshd[29732]: Failed password for invalid user server from 120.5
Feb 14 03:18:18 ip-172-31-91-154.ec2.internal sshd[29732]: Excess permission or bad ownership on file /var/lo
Feb 14 03:18:19 ip-172-31-91-154.ec2.internal sshd[29732]: Received disconnect from 120.53.121.152 port 59070
Feb 14 03:18:19 ip-172-31-91-154.ec2.internal sshd[29732]: Disconnected from 120.53.121.152 port 59070 [preau
Feb 14 03:18:27 ip-172-31-91-154.ec2.internal dhclient[2827]: XMT: Solicit on eth0, interval 111530ms.

I tried removing the db and reinstalling but this did not make any difference.

2

Answers


  1. Chosen as BEST ANSWER

    Deleting the ec2 instance and starting over was the direction I took. Still no idea of what caused the error however am double checking security holes and patching up. Thanks everyone for responding.

    best


  2. the issue is this line:

     [ERROR] [MY-010187] [Server] Could not open file '/var/log/mysqld.log' for error logging: Permission denied
    

    Which is supported by this error message:
    access forbidden by rule

    So the issue is permissions to the /var/log/mysqld.log file. What is needed is to create permissions for mysql to access this file – running this command with a server reboot solved this issue:

    $ sudo chown mysql:mysql /var/log/mysqld.log
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search