Slashdot Mirror
Worm Hits Windows Machines Running MySQL
UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a
rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."
Solid reliability, transaction support, and a good security track record. Probably the best thing short of switching to an AS/400.
We have seen this happen with MSSQL before.
it was a news with a slamming facts in it
What is the SANS institute?
The SANS (SysAdmin, Audit, Network, Security) Institute provides information security training and certification. For more information, visit www.sans.org
What's an SA account?
The system administrator (SA) account is similar to the DBO except it is of the entire server. It has the same access and permissions as the DBO on all the databases in the server.
DBO account???
The DBO User Account The database owner (DBO) is the administrator for the database. It has full access to all operations and rights.
SQL Snake is an Internet worm, that scans for open Microsoft SQL 7 (MSSQL) and 2000 servers - which run on TCP Port 1433 by default. The worm attempts to log into the System Administrator (SA) account with no password. If successful, the worm downloads and hides some files and grabs system configuration and account names.
Before the MySQL bashers start, it should be noted that this is not a problem with MySQL.
From the article:
This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:
Strong Password: Select a strong password, in particular for the 'root' account.
Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.
To be clear, this is a Windows MySQL worm.
-Peter
... its always first with 3 week old news. The virus was reported on January 5th.
MySQL does not come with windows, you have to download it and install it, and if you are downloading it and installing it then you obviously have a reson to use it, and are more likely to set an actual password.
Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
A hole in a program that communicates to the database and is accessable from the outside world would be a much more serious flaw I would imagine.
Game! - Where the stick is mightier than the sword!
Don't laugh - it happens. MSSQL is 'spensive, and for an all-windows environment that needs a database - MySQL wins the prize.
/took your comment too seriously
Admins in an environment that denies them to use something else.
Mostly web developers I think. I used to run the windows version of mysql before I moved my desktops to slackware.
GETPKG - Package Management for Slackware
People who use windows for other things, and don't want to pay for the MSSQL license. You'd be suprised, there are several people I know who use this, just because they are lazy and cheap.
What does a vulnerability in mySQL have to do with MSSQL? Or are you blaming Microsoft for a mySQL worm because it wouldn't be /. any other way?
Only because people don't know about Firebird.
Occam's razor is the blind faith in the natural selection of least resistance and in universal oversimplification. -- EF
Well, Apache, PHP and MySQL run just fine in Windows. Many people run Linux on servers, but Winows on Developer desktops (which then have Apache, php and mysql installed).
---- join dshield.org Distributed Intrusion Detec
Do you realize how much of a pain it was to get postgres working on Windows until fairly recently?
Come again?
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Actually we have seen this before with MySQL in the beginning of 2003:
SELECT INTO outfile was buggy up to 3.23.55
My test server was compromised at 18:50 yesterday.
e r/venc/data/w32.spybot.worm.html'>w32.Spybot.worm.
When I got back to my machine at 19:20, I cleaned it down and found out what was happening.
All firewall logs etc and have archived the executable and dll files dropped.
One into the mysql data folder (app_result.dll), and the executable spoolcll.exe was dropped into windows.
Only now that I've gone into the archive folder has Norton picked it up and archived it (it had shutdown/ran the QConsole.exe NAV application to ensure Norton didn't find it, or it just wasn't in the definitions yesterday).
Its been detected as a href='http://securityresponse.symantec.com/avcent
liqbase
What is going to soak up more of the Internet's bandwidth ? A MySQL worm port scanning every IP in existance, or a gigantic mob of Slashdotters flaming Microsoft because it only affects Windows machines ? And will either of them even come close to breaking the current record held by BitTorrent Porn ?
For the stirring conclusion, stay tuned to Netcraft: As the Internet turns...
--LordPixie
It's a bot. ISC said that it requires someone to initiate the scanning.
I wonder why Microsoft doesn't just decide to build a new OS from scratch that will only run its own software and be very limited but only do one thing good. It doesn't surprise me everytime an exploit appears for programs or OS's nowadays since no one tries to make their stuff secure. Even OpenBSD doesn't do enough. They need to start with more limits and be less user friendly when you are doing something like database software.
Just a few minutes ago, Sygate Personal Firewall allerted me to several portscans on my system.
I am running mySQL 4.0.x...
I guess it's time to see what's going on.
I do keep all ports closed, all mySQL passwords are secure, no remote access to mySQL. It's just for dev purposes.
Not sure if there is a connection, but I'm going to look into it.
In linux by default in a lot of distributions being able to connect from network is disabled in mysql, or sets root password as php password, so the risk of that kind of worm (well, for systems that don't have even a basic firewall configured) is pretty low.
the Snake... Not the new worm. I remember how much of a pain Slammer was, I'm glad I don't admin SQL servers anymore!
Man if I had known that this software was vulnerable to worms I would never have bought it.
Us. I just inherited our electronic portfolio system, which runs Apache/Tomcat/MySQL on Windows2000. We're mostly a Windows shop, and it runs fine. (Well, sorta fine, but I think that's mostly some problems with the portfolio, not A/T/M.)
"Seven Deadly Sins? I thought it was a to-do list!"
Exactly. There are something like seven developer systems running Windows that have MySQL and a web server on them for webapp development in the section I work for. Then, later, the webapp gets uploaded to a Solaris machine where the users actually use it.
I also have MySQL on my home Windows machine, since that's what my hosting provider offers. So I do some basic testing on Apache on Windows with MySQL as the database backend.
You are in a maze of twisty little relative jumps, all alike.
I use mysql at the web shop I work for. The reason is that we're in the process of moving a legacy ASP application to LAMP, and running both PHP and ASP on the same box was SUPPOSED to be a timesaver by smoothing over the transition. I was against this idea from the beginning, arguing that mysql and php on windows were a underdeveloped compared to the linux/unix versions. Now I have a nice 'I told you so' that the managers can understand.
Does this mean MySQL is considered a real DB now?
For both of these, there are exceptional requirements that can negate these general rules, but anyone who has these requirements should know better than to not take exceptional measures to protect the server.
Last time I looked at firebird I seem to recall having an issue with it not recognizing case, which wasn't a good thing.
Besides, MSSQL is fine if you have the money, and now that PostgreSQL is (finally) available as a native app on Windows, there's no reason to run MySQL anymore. I'm sure the MySQL fanboys will label that a troll, but unless all you need to do with your database is run a lot of SELECTs from your blog, MySQL is not a very good solution.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
and now postgres
99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries across the network to the database server.
Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306. I know on most systems, its probably the default, but in almost all of the cases, its completely unnecessary.
And also, validate your input !! Don't just assume that whatever is passed on the URI field of a browser, is going to be correct. Check it. Then check it again.
Ok folks. This is a bot, and it uses weak root passwords to gain entry to MySQL. From there, it loads a BLOB in a table with a payload DLL, which it then writes to disk and loads as a MySQL UDF. The UDF is called, which creates the bot and the system is compromised.
0 5/01/batten-the-hatches-mysql-targeting-bot-on-the -loose/
Damage appears to be low as it is more spyware than anything, and you are only at risk if you A) Have not firewalled the MySQL Port, B) Have a root account that is allowed to login from anywhere, not just localhost, and C) Have a weak root password.
So, the fix is this:
A) Firewall port 3306
B) Remove the root@% account, only allow root@localhost
C) Set a strong password
I have more info at http://www.openwin.org/mike/index.php/archives/20
Open the Administrative Tools/Services app.
Find the "Event Monitor" service.
Open the Properties for this service.
You cannot pause or stop this service, so set the General/Startup Type to Disabled.
On the Recovery tab, set all 3 failure actions to Take No Actions.
Reboot.
Since the service didn't start, spoolcll.exe is not running.
Delete it (or whatever).
But, do not delete the service, as its existence will prevent new copies of the virus from activating.
PHP: True cross-platform programming... ;)
/. is a bunch of nerds at a million typewriters. It's not a political conspiracy determined to undermine your beliefs.
Or the ones that dont know the native PostgreSQL for win32 is now out..
---- Booth was a patriot ----
There's always PostgreSQL.
/continuing being too serious ;)
Well, I'm pretty sure I've got that port blocked already, but . . .
I stood up MySQL on a Linux box and on a Win2k box to show that, unlike MSSQL, MySQL ran on more than one platform. One database could be deployed to both platforms with the ability to keep the application running even if one goes down. Instead of having the app be entirely offline, you can bring the other over very quickly. Did this just after the first MSSQL worm to show that there are alternatives and that entire sites don't have to go down because of one bug. Now we're working on deploying some Linux clusters.
You must be the change you wish to see in the world - Ghandi
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
90% of tasks can be handled by the free MSDE install.. there's a 2GB limit, but a lot of tasks simply don't need that kind of size.
MySql is expensive too (300 per client, unless you want to GPL all your software).
In fairness, I would generalize your statement to:
.* to a hostile network with any non-trivial set of services running and no firewall, and it is going to have problems.
Don't connect ANY computer to the Internet, or any other hostile network, without a firewall.
Now, you can argue that, in the case of some operating systems, the firewall built into the OS, when properly configured, is enough.
You can also argue that a firewall should be a firewall, and a firewall ONLY, and that any other services should be provided by another machine BEHIND the firewall.
And depending upon the circumstances, either argument can win.
However, if you think in terms of "First the firewall, THEN the services", you will be miles ahead.
Connecting a Linux box, or a *BSD box, or a Mac, or an AS/400, or
The problem here is that the people who set up the MySQL servers on these boxes did not insure they were firewalled - this could have happened just as easily to a Linux box with a similarly bad setup.
www.eFax.com are spammers
Er...have you read any of the other posts? Chances are, the worm takes advantage of a default configuration. (i.e. "password" as the password, network access enabled, etc.) Any decent admin would at least secure the installation.
And in the case it takes advantage of something like a buffer overflow, then so what? IIS has had a long, fruitful history of exploits. And it's been considered as "fully developed" for years. And you're going to use a single example as an I Told You So?!
tasks(723) drafts(105) languages(484) examples(29106)
Who'd use MySQL at all when there is a _really_ free alternative (BSD license) called Postgresql.
Now that it runs natively on Windows too, there is no reason to use MySQL anywhere anymore.
MySQL, you are the weakest referential integrity constraint, goodbye.
nt
How does the installer do this, considering that root password is stored in hashed format, and thus should be theoretically unviewable ? Does the installer brute-force it, or does MySQL accept passwords in their hashed form, or does the installer simply ask the root password and then verify it ?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Who really creates an unpassworded root@% superuser account?
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Only because people don't know about Firebird.
;)
Web browser, right? Wonder what ever happened to them...
I watched C-beams glitter in the dark near the Tannhauser gate.
Cheshire's right ... I personally use it in a MS environment where I just needed a DB & perl for a small home grown app. I, however, run it without allowing connections from anywhere but localhost.
>Who'd use MySQL on Windows though ?
As per ISC (SANS) thousands of machines have it.
"A "bot", exploiting vulnerable MySQL installs on Windows systems, has been spotted. It infected a few thousand systems so far."
There have been reports of large amounts of thefts occuring from persons leaving stacks of cash outside their front doors. Apparently, perpetrators would use a vehicle to drive up to individual's houses and take the money.
Sad to say, but this is where ease of use and point-and-click stuff brings you.
To MySQL's credit, IIRC, latest MySQL for Windows installers are fairly insistant on warning you about enabling network access and setting a root password.
Only because people don't know about Firebird.
Or PostgreSQL.
Thinking of it, it would be possible to write a virus that would spread through PostgreSQL systems that were improperly secured (set to Trust authentication on network ports). It could then create a stored procedure using an untrusted language like plpythonu or plerlu if these are installed and create something that scans the network looking for others to infect.
Unfortunately no rdbms is likely to be fully immune except maybe Oracle and only because they are such a PITA to administer that you hope your admin has a clue.
LedgerSMB: Open source Accounting/ERP
On my desktop maching I'm running Apache, PHP, Perl and MySQL on WinXP in order to run one of those PHP portal-things. My 'pooter stays on 24/7, mostly serving friends with annoying or funny pictures, and as I use all sorts of 'network aware' apps my static IP would certainly not be concidered dead. So if this worm is going to hit I should be quick to know about it. So far a search for that mentioned file turns up no hits, but if I catch it I'll post it on my portal, URL above.
/. me. I've gotta present a PHP app I'm coding tomorrow.)
(And don't you dare
All rites reversed 2010
Last time I looked at firebird I seem to recall having an issue with it not recognizing case, which wasn't a good thing.
As per SQL spec (relation and attribute names only, of course). Data is case sensitive by default.
Of course, most other databases default all case to lower, while Firebird/Interbase defaults all case to upper, so this does create a portability issue by different readings of the spec.
Actually, MySQL's behavior is the one which is broken.
LedgerSMB: Open source Accounting/ERP
It's not too bad price wise all things considered. I think a CPU license is around 4k. However, the Desktop version is free and allows 5 concurrent connections, which are enough connections for a small office. I've heard of people running web apps that support 200 simultaneous users with the free MSDE, but the app was coded with that in mind.
Read the fucking article - it exploits a flaw in Windows to propogate itself once it finds a vulnerable system. MySQL on *nix is vulnerable to the MySQL flaw, but not the part that does the damage. This is why the parent is not a troll, and you are an idiot.
Shitram Brown, PhD
Professor of Mathematics
Good lord, are you kidding? I would assume any reasonable organization that was accessing their database over a network would keep the webserver on a DMZ and the database server behind a firewall that's tightened up and only allows access to the database from the DMZ. Isn't this, uh, kinda obvious? And, of course, if the database and the webserver are on the same box, *why* is remote access enabled at all?
I thought they changed the name to Firefox.
We've got the source code. Where's the hole? And, more important from the OSS perspective, where's the patch? And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?
--
make install -not war
Our sysadmin came running this morning and was totally devastated. The last two windows servers we have were gone because of this(we had numerous virus problems before). It was a quick decision: from now on those two boxes will run Linux just like all our other machines and we will be a 100% windows-free environment! Yeah!!!
It makes him lazy!
Data is case sensitive by default.
No, that's what I'm saying. I could swear that on the Windows version the data was case insensitive and that was screwing things up. Or maybe it was Linux.... I could swear the reason I dismissed it was over that... maybe I'm just crazy.
It's not just MySQL's behavior that's broken, their whole development path is.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
The best fix is to format your harddrive and install a real OS on your machine. How stupid can people be to still use windows for a server. Anyone who knows anything about MySQL and wants a decent performance should know better and run it on a Linux server anyways.
Sure this bug alone isn't that big of an 'I told you so,' but it's an example of how products like mysql are often ported to Windows poorly. I argued for moving to a LAMP system, but I was told that mysql is mysql, so forget about it. This is an example of how mysql is not always mysql, and why your rolling the dice with mysql on windows (or anything on windows, for that matter). Oh, and by the way, I didn't really read much of the other posts, and I didn't realize that this only effects default passwords. I'm not using the default, so I guess this bug doesn't even really affect me.
So, having RTFA I'm not even slightly concerned. I have mysql running on windows, but since the exploit this thing uses requires a)straight up access vis the internet (eg, no firewall) and b) a brute force atack on the root password, I feel pretty safe. As should anyone else who's behind a firewall and who's root mysql password isn't '12345'....
"City hall" in German is "Rathaus" Kinda explains a few things......
Another dedicated windows head who has MySQL.
I don't develop for it myself. The issue is that there are alot of very good FOSS PHP applications that are tightly wedded to MySQL. So rather than rewrite all the db access code in them to use something more solid, I just bit the bullet and setup MySQL. Time is money after all.
In a perfect world, those php apps would abstract DB access so one could switch to a more robust platform. Some even do, but even then the MySQL option is oftentimes the only one tested as well as the only with a sql install script.
Hopefully one day the devs will see the light and realize that PHP!=MySQL.
"the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password."
This makes MySQL look about as vulnerable as ssh.
I rewrote PHPTriad, securing the default password for root and did so 3 years ago. The new product is Sokkit. However, Sourceforge won't let me take PHPTriad down, point to the new commercial version or in any way indicate the project has been shut down.
The only reason I left it alone in the old PHPTriad package was that was how MySQL themselves ship the setup. The official MYSQL binaries have (unless it's changed very recently) *no* password on the root account unless you deliberately go and change it.
Even today, I get constant complaints because I secure the root account, even though I ask them to supply the password.
The Glass is Too Big: My Take on Things
Having any db server accessible directly from the internet is plain idiocy. There is no justification for it. You deserved to be 0wn3d. And hopefully it will keep you off the net for a long time while you try to repair.
Open source, closed source isn't the issue. Having half a brain is.
Because PostgreSQL doesn't have as large of a community, can be a pain in the ass to administer, and doesn't have the same cross platform toolset as MySQL has accumulated over the years. Technically, PostgreSQL is superior, but in practice, most won't care or know the difference.
- oZ
// i am here.
Someone who knows anything about MySQL doesn't run a windows server to begin with. Windows performance is very poor and security will always be at risk. Particulary for applications like MySQL Linux is the OS of choice. I can't believe some of those windows freaks that are still out there call themselves professionals. That's scary.
The only reason I left it alone in the old PHPTriad package was that was how MySQL themselves ship the setup. The official MYSQL binaries have (unless it's changed very recently) *no* password on the root account unless you deliberately go and change it.
Even today, I get constant complaints because I secure the root account, even though I ask them to supply the password.
The Glass is Too Big: My Take on Things
I just checked my firewall logs for the last several days, and haven't seen a single hit on 3306.
This is from MySQL 3.23.58 on LinuxSo, yes it is case INsensitive. (But I can't really do anything to prove your sanity)
Linux passwords are scrambled, but the root user can read the scrambled password file. The first part of the scrambled password ($1$, eight letters/digits, $) is the "salt". The same plaintext password and the same salt will always produce the same scrambled password. The password scrambling algorithm is a standard C library function, so almost every programme uses it, not just the login validator.
/etc/shadow into a .htpasswd {apache password file; used to password-protect directories} or something similar, it'll Just Work.
.htpasswd file when it is installed, and it uses root's UNIX password. Note you still have to supply PHPMyAdmin with a MySQL username and password. By default, MySQL has a user called "root" with no password who is only allowed to login locally. This is considered secure enough for most applications.
Upshot: if you copy a scrambled password from one user to another, or out of
MySQL actually uses a different password hashing algorithm, unless you tweaked the source, but I think the parent is talking about PHPMyAdmin. This creates a standard
NB: it's generally a very bad idea to use the same password for login and database. One dodgy web hosting company I have experienced actually did this. The MySQL username and password have to be in your user directory somewhere, in plaintext, and they have to be world-readable so the Apache daemon can see them. Upshot: any user can see any other user's database username and password. {This is why the root/no password combination isn't so insecure as it looks.} Ordinarily, the PHP {or Perl or Python} interpreter gets them first, and the user only ever sees the output from the interpreter; but you can pay for an account with the same company, determine the directory structure reasonably easily, and use a simple PHP, Perl, Python or Bash script to traverse other users' directories looking for passwords. If the database username and password is the same as the UNIX password then you can have much fun, since these passwords are also good for FTP, POP3 and SSH.
Je fume. Tu fumes. Nous fûmes!
Does it mean that MySQL is now officially "ready for the desktop"? Hopefully, the Linux version will be next.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Even for slashdot, there are a lot of FUD posters out here.
If you installed ANY database on ANY system and didn't take efforts to lock it down then you are an idiot.
This worm only affect people that made all three classic errors below:
1) Didn't set up a useful firewall
2) Didn't lock down the administrator access
3) Didn't set a secure root password for the DB.
Well, now you know where you went wrong and should learn a bit about system security.
On top of all the above, you have to be running an operating system that has been configured to allow a new data file to be created by the DB then loaded as executable code. That is also poor system administration - you should NOT give a DB app rights to create executable files.
The old saying is always true:
Wise people learn from other people's mistakes
Most people learn from their own mistakes
Fools never learn at all....
I wonder if that is why Yahoo Finance is not working correctly at the moment. It is suppose to be powered by MYSQL
Yahoo Error
Well, even if you used an installer program (as I did) that is no excuse for not securing it. I'll be darned if I leave the root password as a default to anything. Not to mention not rename it to something besides root. Not to mention let anyone access it besides localhost. Not to mention not have all ports but those necessary firewalled.
Still, maybe a good idea for those install apps would be an easy GUI window prompting you to change those values and providing input fields to do so. I mean, it isn't easy to correctly edit the user table of the mysql database through PHPMyAdmin without consulting documentation. I trashed a few installs before I learned how. Maybe that could be another thing to work on, a better user interface for editing those values under PHPMyAdmin. It currently warns you about a blank root password, but it is slightly above the level of a novice to figure out how to fix that.
Someone that has a PC with a Windows license and nees an inexpensive SQL database.
You run Apache on a Windows box? I guess that would be okay in a trusted environment. But it is not recommended to run Apache on Win32 systems in a hostile environment.
Anyone have a list?
Let me make sure that my understanding is aligned with the Slashbot collective.
When a clueless admin doesn't secure Windows, it's Windows' fault. But when a clueless admin doesn't secure an OSS application, it's the admin's fault.
Do I have that right?
"Ask not what your country can do for you." --John F. Kennedy
Sure.
Until you use a library that your host doesn't have loaded.
I guess this idea of "privilege escalation" in one way or another is one of the reasons why PostgreSQL refuses to run as admin (especially on win32)
No need to flame people who use MySQL on win32. This has been briefly mentioned already, but here's a slightly better explanation. One of MySQL's major advantages over other free medium-to-lightweight (such as pgsql) is that MySQL has been available for the win32 platform for a very long period of time (if you are about to mention firebird, take a look here). This enabled developers to install their webserver of choice (apache) with some cool script mod (php) alongside a database well suited for small to medium web projects (mysql). So if you are a supporter of (F)OSS, then you better not flame people who use MySQL on win32, because that is one of the reasons why MySQL is so popular today.
I'm doing an audit of a 2000 machine and discover that it appears to have MySQL installed and is running a service for it. Which weirded me out, because I DEFINITELY don't run MySQL, I'm a POSTGRES guy.
It appears that some adware that had dropped itself on the machine had downloaded and installed it for me (one of my users is an idiot).
THEN the worm was able to load itself onto my machine.
Make sure to check all your machines, not just the ones that should have SQL running on them.
3306 is the default port for MySQL, and the worm tries to use this port.
* If you need remote access to MySQL from within the same network, keep 3306 closed off at the firewall. And it won't hurt to use another port even so.
* If you do need to access a MySQL server from outside the same network, then you should definitely use something besides 3306.
* If you don't need to access MySQL remotely at all, then run mysqld with --skip-networking.
Il n'y a pas de Planet B.
I find PostgreSQL to be quite easy to admin.
The large community argument is not really an advantage either - the MS-Windows community is MUCH larger than the Linux community, but I would not recommend any version of MS-Windows to even my worst enemy.
As for the toolset - to what are you referring?
Of course, Perl is much better at database support than PHP with its DBI:DBD combination from CPAN.
And everyone knows that anything you can do in PHP, you can do in Perl just as easily.
Been there, Done that, Sold the t-shirt to the next idiot in line
Another fiendly package that should probably be checked out is XAMPP.
And I love the way these threads always have a bunch of comments that say "Ooh, you should close that port on your firewall!" Usually, all ports should be closed, and you open the ones you need--not open by default and closed as vulns are announced. Remember kids: a firewall with all ports open IS NOT A FIREWALL.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
My linux box has been connected to the internet with a static IP and no firewall for around 6 months. I'm pretty sure it hasn't been rooted or zombied (no unusual network access, no ports open that shouldn't be when I nmap it, all files that should be there are there). I get around two attempts every second to connect to my SMB server, and every so often someone tries a dictionary attack, in which case I complain to their ISP. I've also had a couple of dictionary attacks on my ssh server. None of these got through, for the simple reason that I don't use weak passwords. I'm not sure how you're defining non-trivial, but I have a reasonable number of services running here. I keep everything updated, use long passwords, and don't have any problems. And I don't see why others can't do the same.
I am trolling
you have to use 'binary' for case sensitive searches.
mysql> create table name ( name char(10) );
Query OK, 0 rows affected (0.05 sec)
mysql> insert into name ( name ) values ('Forrest');
Query OK, 1 row affected (0.00 sec)
mysql> select * from name where binary name = 'forrest';
Empty set (0.01 sec)
mysql> select * from name where binary name = 'Forrest';
+---------+
| name |
+---------+
| Forrest |
+---------+
The hash used for login passwords is a standard library function, so I'd imagine MySQL simply uses the same hashing mechanism.
I am trolling
Thanks for the tip.
Forrest
Are there that many installations of MySQL on Windows? Usually, worms will target the most common installations, and up until this moment, I don't think I even knew MySQL was working on Windows. Are the flaws this thing uses to spread (if there's something beyond bad passwords) specific to the Windows port? I would be much more concerned if this thing was targeted at Linux or was cross-platform. I guess MySQL should be proud that they're ubiquitous enough to host this sort of attack.
How do you mean that it is hard to administer? Install, run, done. Scaling up to large databases is easy too. Granted, the default parameters are a bit conservative, but they are easy to change.
The comunity is large too and there are many books on the subject.
And as for tools, pgAdmin is all I need, and runs on various Unixes and Windows. Probably OS X as well.
If people don't care, then why should they use MySQL and not Postgres? By the time they start to care, they might apreciate, say, online backups without having to pay for 3rd party tools...
Define "redistribute" please.
Why would you allow port 3306 outbound to the internet?
Why is is that proper egress filtering is not being mentioned? Everyone talks about "filtering" but forgets that it's both directions that you need to check.
Did you read the SANS description of the problem !!!!
...
... ...
The cracker have to find the password of the administrator of the database (by brute force with a dictionary).
Then mysql must be run with administrator privileges.
Then the cracker copy his application in the database.
Finally it use sql function to copu the application (a scanner to infect other pc) in the filesystem and execute it.
? Where is the mysql worm ?
SANS resume of the issue:
"This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week "root" account."
SANS solution: set a strong password for the root account. Who the hell will open the mysql server to the internet with a root password as "adminpwd" and then wonder why he is infected
Just a side note:
some of the infected pc had windows xp sp2 with firewall policies activated
Does windows firewall let everyone connect to your box by default ? with database, web servers
well switch firewall appli or better OS , mysql cannot help you
Alban Browaeys
If you use this as an 'I told you so', and you administer the box, then they should fire you. This problem only affects poorly administered mySQL installations.
D'oh! Didn't realize I had it open. At least I'm on Linux and don't have a blatantly obvious root password. PostgreSQL installed with IP off by default; I guess MySQL didn't. I don't even rememeber why MySQL's installed...some php toy I guess. PostreSQL and MSSQL ports are already blocked even though I don't have MSSQL.
Time to update the firewall (dedicated and local), MySQL config and revisit password strength. Maybe I should finally go to a deny by default policy....
The article on the SANS site states:
A long list of passwords is included with the bot, and the bot will brute force the password.
Does anyone know of a site that has posted this list? I believe my password is sufficiently secure, but it would be nice to have some idea of the scope of the character combinations that this bot tries.
Electronic portfolio system that uses MySQL? I hope you don't do a lot of concurrent updates. :)
Actually, if your program requires the user to install MySQL, that counts as "redistributing" MySQL, according to their FAQ.
Why are there two administrator accounts, admin and root? I'm trying to find something in the docs (I was at http://dev.mysql.com/doc/mysql/en/default-privileg es.html already). Can someone point out the right place in the docs, or explain it in his own words?
Firebird is case sensitive on any platform.
Occam's razor is the blind faith in the natural selection of least resistance and in universal oversimplification. -- EF
Today I got up, took a shit, showered, drove to work, ate breakfast, then proceeded to fix bugs until lunch. I ate a turkey sandwhich to show that I am trying to lose a little weight and then went back to work.
So what I'm saying is what the fuck does your post have to do with the price of rice in China? Probably about as much as it has to do with the MySQL exploit listed in the post.
... for running a Windows OS. Kudos to the virus/work/trojan writers for taking the time to get Microsofties out of my way on the internet :)
When MSSQL had the problem, people complained that it was caused by more badly written Microsoft software.
Now when MySql has the same problem, is it the developers of MySql who we should blame? No, now it's Microsoft's fault for not writing a better OS for MySql!
How convenient...so, isn't anyone going to take a shot at the people actually exploiting the problem? Or, is it Microsoft's fault for creating the culture that influenced them, too?
Does this apply to people running localhost servers?
1-Crawl 2-Cnfg 3-ATF 4-Exit ?
http://shit.slashdot.org/article.pl?sid=05/01/27/1 546222
Don't worry, mate. We all feel that way for the first time. G'day.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
OK, if you are not an Aussie, then you won't get it. I only got it after I reread the entire post when I saw the "g'day" and "mate" which seemed to not belong there. It made my day! :) If you still don't get it, here's a hint. G'day, mates! :)
in plaintext, and they have to be world-readable so the Apache daemon can see them
Can't you just configure to only allow the user that running Apache (or the group) to be able to read the file?
Il n'y a pas de Planet B.
We've gotten a lot of flak over PostgreSQL's restriction on not installing under user accounts with admin privileges. A lot of "Why can't I install as Administrator" complaints. A LOT.
... and hopefully MySQL AB will learn that it's worth putting up with a few user complaints for widespread security.
The MySQL worm writers have just proven our point dramatically
Josh Berkus
PostgreSQL Project
Yes, you can; but that won't make any difference. Apache runs as its own non-privileged user {often "nobody", sometimes "www-data" or "apache"} and has a group to itself. Any processes it spawns {to execute scripts, for instance} also run as the Apache user {not the owner of the script} -- unless SUID is in operation, and that's a huge security risk. You don't know who the hell is connecting to your box via HTTP -- anyone potentially could set a script running with root privileges {therefore able to tamper with any logfiles}, without entering any kind of username or password.
On most Unixes, only root can chown files. You ought to be able to chown your own files, but it's strictly a one-way ticket. {Why?} And let's not forget the opportunity to frame a colleague {chown unluckyeddy:itdept 10yr_old_amy.jpg win_xp_src.tar.gz star_wars_episode_3.dvd.iso && shred -n1 ~/.bash_history}. Best not to let every Caz, Shaz and Daz use it.
So even if only the Apache user was allowed to read your scripts, you would be no more secure than if they were world-readable. Password-hunting scripts would still be running in the name of Apache, therefore allowed to access others' passwords.
Try it if you don't believe me; but if you do it on a real ISP's server, watch you don't get caught, because it is almost certain to be a breach of AUP. Open a sacrificial hosting account and consider it money spent in the name of research.
Je fume. Tu fumes. Nous fûmes!
Suposedly this is a "zero day attack." Which means, an attack on the same day the exploit is made public - January 27th,2005. THIS IS NOT TRUE! I gave access to my server to a friend as a favor. He provides my server with colocation services so I thought it was only fair to let him add a web page to it. I thought he knew what he was doing. Well, he added his an IP and his site but did not secure the new IP in the firewall. OOOOPPPPPPSSSSSS!! OK my bad - I counted on the firewall to protect me. OOOOPPPPPPSSSSSS!! The server was infected on the January 18th, 2005 in nearly the exact same method that is described for this "MySQL worm." It does have few differances, but it is the same thing. It is probably an earlier version. Long story short - I know the name of the hacker that made this worm. This January 27th worm is not the first version of this worm.
Actually, using the MySQL server is free unless you make an installer which installs your application and the database server. If you just tell you client to install a MySQL server, there is no problem.
It becomes more complicated if you use the MySQL libraries. If your application is compiled with them, it either has to be liscenced or GPL. If you can manage not to package and distribute the GPL applications and libraries, there is no problem.
Qui ne va pas à la chasse n'a pas de gibier
PHP Queb
Not according to the GPL, which is what they release their software under. Hence, I don't really give a damn what their FAQ says.
I as an individual or an organization is allowed to use personally or internally, any GPL code, in combination with any proprietary code, as long as said proprietary code is not distributed beyond myself or the organization with the GPL code attached.
That's why nVidia can get away with binary drivers that link into the fully GPL Linux kernel. If I wanted to sell a computer with Linux on it, I couldn't preinstall the nVidia drivers for the customer, as that would be a violation of the GPL. There's nothing wrong with installing it for myself, or the customer installing it for themselves, because neither of those cases involve redistribution of GPL code.
"City hall" in German is "Rathaus" Kinda explains a few things......