I'm having a problem completely understanding some audit.log messages I've been seeing. There are several thousand messages being generated per minute from my user account (ldap) and from the root account. The messages are open system calls that are resulting in failures. Since this activity is on another network I'll do my best to summarize what I'm seeing:
type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=no exit=-13
**the ppid and pid keeps changing
**the auid is either "0" or "10481", which is my ldap account
**the uid, gid, euid, suid, fsuid, egid, sgid, and fsgid are all the same "group" id. ses=103575 comm="mysql" exe="/usr/bin/mysql"
type=CWD msg=audit(1234874638.599:5207): cwd=
type=PATH msg=audit(1234874638.599:5207): item=0 name="/etc/host.conf"
So basically it looks like my user account and the root account are the culprits. It appears that I attempted to log in to mysql, but it failed (as evidenced by the passing of the /etc/host.conf file to mysql) because I used the wrong credentials. What I don't understand is why thousands of logs are being generated. I ran ps -ef looking for mysql or a script of some sorts, but found nothing. I checked crontab and crond, but couldn't find anything that I nor root would be running that would cause this. Besides, how in the world would thousands of login attempts to mysql be made per minute? I also ran some lsof commands to try and find any mysql libraries that were open. I even looked at all ssh connections from other nodes on the network from my account but all I could find was my current connection.
I'm not sure how to kill this thing, especially since the pid and ppid keeps changing. Is there anyway to leverage the use of the "ses" (session ID) to track this thing down and stop it? Is there something else I could try?
I hope someone can help me out!