Worm Hits Windows Machines Running MySQL
UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a
rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."
Come again?
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Well, I'm pretty sure I've got that port blocked already, but . . .
I stood up MySQL on a Linux box and on a Win2k box to show that, unlike MSSQL, MySQL ran on more than one platform. One database could be deployed to both platforms with the ability to keep the application running even if one goes down. Instead of having the app be entirely offline, you can bring the other over very quickly. Did this just after the first MSSQL worm to show that there are alternatives and that entire sites don't have to go down because of one bug. Now we're working on deploying some Linux clusters.
You must be the change you wish to see in the world - Ghandi
Turning off networking makes remote administration more difficult. Why not just block the port? Every supported version of NT, plus the two most recent unsupported versions (and probably more) has port filtering. Just block those ports (or, you can default deny) on the external interface.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"