[BlueOnyx:03751] Re: Tips for tracking down rogue mysql connection use?

[Chuck Tetlow]

> Hi all, 
> 
> It never rains, then it pours! 
> 
> Had a situation today where sites on one BX box suddenly reported their MySQL as being down. A quick look into BX admin showed me that MySQL was indeed up - however on going to PHPMyAdmin - I get a red 'Too Many Connections' error. 
> 
> First time this has happened. I checked inbound traffic, nothing special - and not really much load on the server. 
> 
> My first initial theory is that perhaps someone / something ran a a DB script externally, perhaps a DOS or something. 
> 
> So I'm after any clues on how best to figure out exactly what is using MySQL connections if it happens again. 
> 
> The MySQL log doesn't tell me much, and the Netstat shows me the connections, but not what is actually using them. 
> 
> Any ideas? 
> 
> Cheers, 
> 
> Jeff

Use "netstat -nap".  The "n" is for numeric, "a" is for all, but the "p" shows the process owner.  It will show you the process/program that is using each network connection.  And the "a" means it will show you both listening and non-listening sockets.  It is a wide output, so use a big screen or it wraps and is hard to read.

If you see something suspicious - use "fuser -vn (proto) (port)" filling in the protocol tcp/udp and the port number.  That command will show you WHO opened a particular port.  This is extremely helpful if someone has root'ed your system and opened a back door.  You can find out what user opened the back door, kill everything from that user, and delete that user. 

But if you just want to kill that particular suspicious process - use "fuser -kn (proto) (port)".

Chuck

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100301/269264b5/attachment.html>