Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Hits Windows Machines Running MySQL

Posted by michael on from the batten-the-ports-prepare-for-heavy-weather dept.

UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

14 of 367 comments (clear)

  1. That's why... by Anonymous Coward · · Score: 0, Interesting
    Most serious people deploy PostgreSQL on Windows, if they're deploying anything on it at all.

    Solid reliability, transaction support, and a good security track record. Probably the best thing short of switching to an AS/400.

  2. slashdot's super post editing strikes again! by Anonymous Coward · · Score: 0, Interesting

    What does a vulnerability in mySQL have to do with MSSQL? Or are you blaming Microsoft for a mySQL worm because it wouldn't be /. any other way?

  3. I don't get it by gowen · · Score: 5, Interesting
    I don't understand the sans report. First it says :
    The bot uses the "MySQL UDF Dynamic Library Exploit".
    before adding
    This bot does not use any vulnerability in mysql.


    Come again?
    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  4. Not surprising by barryman_5000 · · Score: 2, Interesting

    I wonder why Microsoft doesn't just decide to build a new OS from scratch that will only run its own software and be very limited but only do one thing good. It doesn't surprise me everytime an exploit appears for programs or OS's nowadays since no one tries to make their stuff secure. Even OpenBSD doesn't do enough. They need to start with more limits and be less user friendly when you are doing something like database software.

  5. Ok, this is strange by digitalgimpus · · Score: 2, Interesting

    Just a few minutes ago, Sygate Personal Firewall allerted me to several portscans on my system.

    I am running mySQL 4.0.x...

    I guess it's time to see what's going on.

    I do keep all ports closed, all mySQL passwords are secure, no remote access to mySQL. It's just for dev purposes.

    Not sure if there is a connection, but I'm going to look into it.

  6. MySQL in practice by Marcus+Erroneous · · Score: 4, Interesting

    Well, I'm pretty sure I've got that port blocked already, but . . .
    I stood up MySQL on a Linux box and on a Win2k box to show that, unlike MSSQL, MySQL ran on more than one platform. One database could be deployed to both platforms with the ability to keep the application running even if one goes down. Instead of having the app be entirely offline, you can bring the other over very quickly. Did this just after the first MSSQL worm to show that there are alternatives and that entire sites don't have to go down because of one bug. Now we're working on deploying some Linux clusters.

    --
    You must be the change you wish to see in the world - Ghandi
  7. Re:Don't keep the port open! by drinkypoo · · Score: 4, Interesting

    Turning off networking makes remote administration more difficult. Why not just block the port? Every supported version of NT, plus the two most recent unsupported versions (and probably more) has port filtering. Just block those ports (or, you can default deny) on the external interface.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Re:Windows by ultranova · · Score: 2, Interesting

    In linux by default in a lot of distributions being able to connect from network is disabled in mysql, or sets root password as php password,

    How does the installer do this, considering that root password is stored in hashed format, and thus should be theoretically unviewable ? Does the installer brute-force it, or does MySQL accept passwords in their hashed form, or does the installer simply ask the root password and then verify it ?

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  9. I've got a bullseye on my forehead by Ceriel+Nosforit · · Score: 1, Interesting

    On my desktop maching I'm running Apache, PHP, Perl and MySQL on WinXP in order to run one of those PHP portal-things. My 'pooter stays on 24/7, mostly serving friends with annoying or funny pictures, and as I use all sorts of 'network aware' apps my static IP would certainly not be concidered dead. So if this worm is going to hit I should be quick to know about it. So far a search for that mentioned file turns up no hits, but if I catch it I'll post it on my portal, URL above.

    (And don't you dare /. me. I've gotta present a PHP app I'm coding tomorrow.)

    --
    All rites reversed 2010
  10. MyWorm by Doc+Ruby · · Score: 2, Interesting

    We've got the source code. Where's the hole? And, more important from the OSS perspective, where's the patch? And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?

    --

    --
    make install -not war

    1. Re:MyWorm by catenos · · Score: 2, Interesting

      I already answered to the second part, too. Usually there are work-arounds available. I am not sure which experience you are referring to, but I see professionals to wait for official patches and vendor updates, usually. Applying patches manually seems to be the exception, not the rule.

      But let's assume people do what you say and your scenario would happen. Why would this be a vulnerablity? What is the problem? Actually, I see it as another advantage of OOS. With binary software, you *have* to use a work-around until a fix comes, and you *have* to hope that a fix will be part of the next patch-day.

      IMHO, it would probably happen as it happened with the Linux kernel some days ago: one good soul offers to maintain a fork with security patches. All is well. Where is the problem again?

      "Fork" is often used as a bad word, a worst-case scenario, when it isn't. There are a lot of distributions, and in some way, they are all forks of a lot of packages they contain (any Linux distro still delivering their main kernel unpatched?). The world still stands.

      Forks become a problem, if there happen too many and if they happen due to social problems and leave people not cooperating (because then it becomes unrealistic to backport all those patches). But in the scenario you suggest, I see people working together. Someone just taking some load from the main project.

      --
      Keep an eye on which arguments are silently dropped in replies. Not always, but often times it's very telling.
  11. What a load of rubbish by Anonymous Coward · · Score: 1, Interesting

    Even for slashdot, there are a lot of FUD posters out here.

    If you installed ANY database on ANY system and didn't take efforts to lock it down then you are an idiot.

    This worm only affect people that made all three classic errors below:
    1) Didn't set up a useful firewall
    2) Didn't lock down the administrator access
    3) Didn't set a secure root password for the DB.

    Well, now you know where you went wrong and should learn a bit about system security.

    On top of all the above, you have to be running an operating system that has been configured to allow a new data file to be created by the DB then loaded as executable code. That is also poor system administration - you should NOT give a DB app rights to create executable files.

    The old saying is always true:
    Wise people learn from other people's mistakes
    Most people learn from their own mistakes
    Fools never learn at all....

  12. Yahoo Finance by Anonymous Coward · · Score: 1, Interesting

    I wonder if that is why Yahoo Finance is not working correctly at the moment. It is suppose to be powered by MYSQL

    Yahoo Error

  13. Re:Acronym madness clarification. by Deviate_X · · Score: 2, Interesting

    Clearly you have no idea that this flaw has nothing to do with Windows Security. That is another debate.

    This is a flaw in Windows version of MySQL. Your comment is entirely beside the point.