Worm Hits Windows Machines Running MySQL

← Back to Stories (view on slashdot.org)

Worm Hits Windows Machines Running MySQL

Posted by michael on Thursday January 27, 2005 @04:27AM from the batten-the-ports-prepare-for-heavy-weather dept.

UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

9 of 367 comments (clear)

Min score:

Reason:

Sort:

I don't get it by gowen · 2005-01-27 04:33 · Score: 5, Interesting

I don't understand the sans report. First it says :
The bot uses the "MySQL UDF Dynamic Library Exploit".
before adding
This bot does not use any vulnerability in mysql.

Come again?

--
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Not surprising by barryman_5000 · 2005-01-27 04:33 · Score: 2, Interesting

I wonder why Microsoft doesn't just decide to build a new OS from scratch that will only run its own software and be very limited but only do one thing good. It doesn't surprise me everytime an exploit appears for programs or OS's nowadays since no one tries to make their stuff secure. Even OpenBSD doesn't do enough. They need to start with more limits and be less user friendly when you are doing something like database software.
Ok, this is strange by digitalgimpus · 2005-01-27 04:34 · Score: 2, Interesting

Just a few minutes ago, Sygate Personal Firewall allerted me to several portscans on my system.

I am running mySQL 4.0.x...

I guess it's time to see what's going on.

I do keep all ports closed, all mySQL passwords are secure, no remote access to mySQL. It's just for dev purposes.

Not sure if there is a connection, but I'm going to look into it.
MySQL in practice by Marcus+Erroneous · 2005-01-27 04:51 · Score: 4, Interesting

Well, I'm pretty sure I've got that port blocked already, but . . .
I stood up MySQL on a Linux box and on a Win2k box to show that, unlike MSSQL, MySQL ran on more than one platform. One database could be deployed to both platforms with the ability to keep the application running even if one goes down. Instead of having the app be entirely offline, you can bring the other over very quickly. Did this just after the first MSSQL worm to show that there are alternatives and that entire sites don't have to go down because of one bug. Now we're working on deploying some Linux clusters.

--
You must be the change you wish to see in the world - Ghandi
Re:Don't keep the port open! by drinkypoo · 2005-01-27 05:00 · Score: 4, Interesting

Turning off networking makes remote administration more difficult. Why not just block the port? Every supported version of NT, plus the two most recent unsupported versions (and probably more) has port filtering. Just block those ports (or, you can default deny) on the external interface.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:Windows by ultranova · 2005-01-27 05:02 · Score: 2, Interesting

In linux by default in a lot of distributions being able to connect from network is disabled in mysql, or sets root password as php password,

How does the installer do this, considering that root password is stored in hashed format, and thus should be theoretically unviewable ? Does the installer brute-force it, or does MySQL accept passwords in their hashed form, or does the installer simply ask the root password and then verify it ?

--
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
MyWorm by Doc+Ruby · 2005-01-27 05:21 · Score: 2, Interesting

We've got the source code. Where's the hole? And, more important from the OSS perspective, where's the patch? And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?

--
--
make install -not war
1. Re:MyWorm by catenos · 2005-01-27 15:12 · Score: 2, Interesting
  
  I already answered to the second part, too. Usually there are work-arounds available. I am not sure which experience you are referring to, but I see professionals to wait for official patches and vendor updates, usually. Applying patches manually seems to be the exception, not the rule.
  
  But let's assume people do what you say and your scenario would happen. Why would this be a vulnerablity? What is the problem? Actually, I see it as another advantage of OOS. With binary software, you *have* to use a work-around until a fix comes, and you *have* to hope that a fix will be part of the next patch-day.
  
  IMHO, it would probably happen as it happened with the Linux kernel some days ago: one good soul offers to maintain a fork with security patches. All is well. Where is the problem again?
  
  "Fork" is often used as a bad word, a worst-case scenario, when it isn't. There are a lot of distributions, and in some way, they are all forks of a lot of packages they contain (any Linux distro still delivering their main kernel unpatched?). The world still stands.
  
  Forks become a problem, if there happen too many and if they happen due to social problems and leave people not cooperating (because then it becomes unrealistic to backport all those patches). But in the scenario you suggest, I see people working together. Someone just taking some load from the main project.
  
  --
  Keep an eye on which arguments are silently dropped in replies. Not always, but often times it's very telling.
Re:Acronym madness clarification. by Deviate_X · 2005-01-27 09:33 · Score: 2, Interesting

Clearly you have no idea that this flaw has nothing to do with Windows Security. That is another debate.

This is a flaw in Windows version of MySQL. Your comment is entirely beside the point.