Slashdot Mirror
Worm Hits Windows Machines Running MySQL
UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a
rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."
Can I make it? Is dream. ^^;;
Who'd use MySQL on Windows though ?
It's appropriate that the talk page for this was 404'ing for a while.
Solid reliability, transaction support, and a good security track record. Probably the best thing short of switching to an AS/400.
We have seen this happen with MSSQL before.
it was a news with a slamming facts in it
What is the SANS institute?
The SANS (SysAdmin, Audit, Network, Security) Institute provides information security training and certification. For more information, visit www.sans.org
What's an SA account?
The system administrator (SA) account is similar to the DBO except it is of the entire server. It has the same access and permissions as the DBO on all the databases in the server.
DBO account???
The DBO User Account The database owner (DBO) is the administrator for the database. It has full access to all operations and rights.
SQL Snake is an Internet worm, that scans for open Microsoft SQL 7 (MSSQL) and 2000 servers - which run on TCP Port 1433 by default. The worm attempts to log into the System Administrator (SA) account with no password. If successful, the worm downloads and hides some files and grabs system configuration and account names.
Before the MySQL bashers start, it should be noted that this is not a problem with MySQL.
From the article:
This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:
Strong Password: Select a strong password, in particular for the 'root' account.
Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.
It should be about done. I mean, isn't that about all of them?
To be clear, this is a Windows MySQL worm.
-Peter
... its always first with 3 week old news. The virus was reported on January 5th.
MySQL does not come with windows, you have to download it and install it, and if you are downloading it and installing it then you obviously have a reson to use it, and are more likely to set an actual password.
Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
A hole in a program that communicates to the database and is accessable from the outside world would be a much more serious flaw I would imagine.
Game! - Where the stick is mightier than the sword!
so we've got tsunamis in asia, droughts in africa, worms in australia.... frank: "here, this here wombat 'ill toyk kehr of um"
What does a vulnerability in mySQL have to do with MSSQL? Or are you blaming Microsoft for a mySQL worm because it wouldn't be /. any other way?
Do you realize how much of a pain it was to get postgres working on Windows until fairly recently?
Come again?
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Actually we have seen this before with MySQL in the beginning of 2003:
SELECT INTO outfile was buggy up to 3.23.55
My test server was compromised at 18:50 yesterday.
e r/venc/data/w32.spybot.worm.html'>w32.Spybot.worm.
When I got back to my machine at 19:20, I cleaned it down and found out what was happening.
All firewall logs etc and have archived the executable and dll files dropped.
One into the mysql data folder (app_result.dll), and the executable spoolcll.exe was dropped into windows.
Only now that I've gone into the archive folder has Norton picked it up and archived it (it had shutdown/ran the QConsole.exe NAV application to ensure Norton didn't find it, or it just wasn't in the definitions yesterday).
Its been detected as a href='http://securityresponse.symantec.com/avcent
liqbase
What is going to soak up more of the Internet's bandwidth ? A MySQL worm port scanning every IP in existance, or a gigantic mob of Slashdotters flaming Microsoft because it only affects Windows machines ? And will either of them even come close to breaking the current record held by BitTorrent Porn ?
For the stirring conclusion, stay tuned to Netcraft: As the Internet turns...
--LordPixie
It's a bot. ISC said that it requires someone to initiate the scanning.
I wonder why Microsoft doesn't just decide to build a new OS from scratch that will only run its own software and be very limited but only do one thing good. It doesn't surprise me everytime an exploit appears for programs or OS's nowadays since no one tries to make their stuff secure. Even OpenBSD doesn't do enough. They need to start with more limits and be less user friendly when you are doing something like database software.
Just a few minutes ago, Sygate Personal Firewall allerted me to several portscans on my system.
I am running mySQL 4.0.x...
I guess it's time to see what's going on.
I do keep all ports closed, all mySQL passwords are secure, no remote access to mySQL. It's just for dev purposes.
Not sure if there is a connection, but I'm going to look into it.
the Snake... Not the new worm. I remember how much of a pain Slammer was, I'm glad I don't admin SQL servers anymore!
Man if I had known that this software was vulnerable to worms I would never have bought it.
I think everyone readin SlashDot knows what all that means...:P
Are you?
Requirements to get a story on /.
1. Must bash MS or any of a number of companies on the "not cool" list
2. If a story does not fit #1 then random pieces of info should be thrown in to make it fit #1
3. If there is any chance that a story could bash *nix, #2 should be used to prevent this.
Does this mean MySQL is considered a real DB now?
For both of these, there are exceptional requirements that can negate these general rules, but anyone who has these requirements should know better than to not take exceptional measures to protect the server.
99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries across the network to the database server.
Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306. I know on most systems, its probably the default, but in almost all of the cases, its completely unnecessary.
And also, validate your input !! Don't just assume that whatever is passed on the URI field of a browser, is going to be correct. Check it. Then check it again.
Ok folks. This is a bot, and it uses weak root passwords to gain entry to MySQL. From there, it loads a BLOB in a table with a payload DLL, which it then writes to disk and loads as a MySQL UDF. The UDF is called, which creates the bot and the system is compromised.
0 5/01/batten-the-hatches-mysql-targeting-bot-on-the -loose/
Damage appears to be low as it is more spyware than anything, and you are only at risk if you A) Have not firewalled the MySQL Port, B) Have a root account that is allowed to login from anywhere, not just localhost, and C) Have a weak root password.
So, the fix is this:
A) Firewall port 3306
B) Remove the root@% account, only allow root@localhost
C) Set a strong password
I have more info at http://www.openwin.org/mike/index.php/archives/20
Open the Administrative Tools/Services app.
Find the "Event Monitor" service.
Open the Properties for this service.
You cannot pause or stop this service, so set the General/Startup Type to Disabled.
On the Recovery tab, set all 3 failure actions to Take No Actions.
Reboot.
Since the service didn't start, spoolcll.exe is not running.
Delete it (or whatever).
But, do not delete the service, as its existence will prevent new copies of the virus from activating.
Well, I'm pretty sure I've got that port blocked already, but . . .
I stood up MySQL on a Linux box and on a Win2k box to show that, unlike MSSQL, MySQL ran on more than one platform. One database could be deployed to both platforms with the ability to keep the application running even if one goes down. Instead of having the app be entirely offline, you can bring the other over very quickly. Did this just after the first MSSQL worm to show that there are alternatives and that entire sites don't have to go down because of one bug. Now we're working on deploying some Linux clusters.
You must be the change you wish to see in the world - Ghandi
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Guess what Jason, you're really fucking stupid and you should commit suicide, today.
In fairness, I would generalize your statement to:
.* to a hostile network with any non-trivial set of services running and no firewall, and it is going to have problems.
Don't connect ANY computer to the Internet, or any other hostile network, without a firewall.
Now, you can argue that, in the case of some operating systems, the firewall built into the OS, when properly configured, is enough.
You can also argue that a firewall should be a firewall, and a firewall ONLY, and that any other services should be provided by another machine BEHIND the firewall.
And depending upon the circumstances, either argument can win.
However, if you think in terms of "First the firewall, THEN the services", you will be miles ahead.
Connecting a Linux box, or a *BSD box, or a Mac, or an AS/400, or
The problem here is that the people who set up the MySQL servers on these boxes did not insure they were firewalled - this could have happened just as easily to a Linux box with a similarly bad setup.
www.eFax.com are spammers
nt
goal here? H0w can
Who really creates an unpassworded root@% superuser account?
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
There have been reports of large amounts of thefts occuring from persons leaving stacks of cash outside their front doors. Apparently, perpetrators would use a vehicle to drive up to individual's houses and take the money.
Sad to say, but this is where ease of use and point-and-click stuff brings you.
To MySQL's credit, IIRC, latest MySQL for Windows installers are fairly insistant on warning you about enabling network access and setting a root password.
On my desktop maching I'm running Apache, PHP, Perl and MySQL on WinXP in order to run one of those PHP portal-things. My 'pooter stays on 24/7, mostly serving friends with annoying or funny pictures, and as I use all sorts of 'network aware' apps my static IP would certainly not be concidered dead. So if this worm is going to hit I should be quick to know about it. So far a search for that mentioned file turns up no hits, but if I catch it I'll post it on my portal, URL above.
/. me. I've gotta present a PHP app I'm coding tomorrow.)
(And don't you dare
All rites reversed 2010
Read the fucking article - it exploits a flaw in Windows to propogate itself once it finds a vulnerable system. MySQL on *nix is vulnerable to the MySQL flaw, but not the part that does the damage. This is why the parent is not a troll, and you are an idiot.
Shitram Brown, PhD
Professor of Mathematics
Good lord, are you kidding? I would assume any reasonable organization that was accessing their database over a network would keep the webserver on a DMZ and the database server behind a firewall that's tightened up and only allows access to the database from the DMZ. Isn't this, uh, kinda obvious? And, of course, if the database and the webserver are on the same box, *why* is remote access enabled at all?
We've got the source code. Where's the hole? And, more important from the OSS perspective, where's the patch? And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?
--
make install -not war
Our sysadmin came running this morning and was totally devastated. The last two windows servers we have were gone because of this(we had numerous virus problems before). It was a quick decision: from now on those two boxes will run Linux just like all our other machines and we will be a 100% windows-free environment! Yeah!!!
It makes him lazy!
The best fix is to format your harddrive and install a real OS on your machine. How stupid can people be to still use windows for a server. Anyone who knows anything about MySQL and wants a decent performance should know better and run it on a Linux server anyways.
So, having RTFA I'm not even slightly concerned. I have mysql running on windows, but since the exploit this thing uses requires a)straight up access vis the internet (eg, no firewall) and b) a brute force atack on the root password, I feel pretty safe. As should anyone else who's behind a firewall and who's root mysql password isn't '12345'....
"the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password."
This makes MySQL look about as vulnerable as ssh.
Having any db server accessible directly from the internet is plain idiocy. There is no justification for it. You deserved to be 0wn3d. And hopefully it will keep you off the net for a long time while you try to repair.
Open source, closed source isn't the issue. Having half a brain is.
Someone who knows anything about MySQL doesn't run a windows server to begin with. Windows performance is very poor and security will always be at risk. Particulary for applications like MySQL Linux is the OS of choice. I can't believe some of those windows freaks that are still out there call themselves professionals. That's scary.
The only reason I left it alone in the old PHPTriad package was that was how MySQL themselves ship the setup. The official MYSQL binaries have (unless it's changed very recently) *no* password on the root account unless you deliberately go and change it.
Even today, I get constant complaints because I secure the root account, even though I ask them to supply the password.
The Glass is Too Big: My Take on Things
I just checked my firewall logs for the last several days, and haven't seen a single hit on 3306.
Does it mean that MySQL is now officially "ready for the desktop"? Hopefully, the Linux version will be next.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Even for slashdot, there are a lot of FUD posters out here.
If you installed ANY database on ANY system and didn't take efforts to lock it down then you are an idiot.
This worm only affect people that made all three classic errors below:
1) Didn't set up a useful firewall
2) Didn't lock down the administrator access
3) Didn't set a secure root password for the DB.
Well, now you know where you went wrong and should learn a bit about system security.
On top of all the above, you have to be running an operating system that has been configured to allow a new data file to be created by the DB then loaded as executable code. That is also poor system administration - you should NOT give a DB app rights to create executable files.
The old saying is always true:
Wise people learn from other people's mistakes
Most people learn from their own mistakes
Fools never learn at all....
I wonder if that is why Yahoo Finance is not working correctly at the moment. It is suppose to be powered by MYSQL
Yahoo Error
Anyone have a list?
Let me make sure that my understanding is aligned with the Slashbot collective.
When a clueless admin doesn't secure Windows, it's Windows' fault. But when a clueless admin doesn't secure an OSS application, it's the admin's fault.
Do I have that right?
"Ask not what your country can do for you." --John F. Kennedy
I guess this idea of "privilege escalation" in one way or another is one of the reasons why PostgreSQL refuses to run as admin (especially on win32)
No need to flame people who use MySQL on win32. This has been briefly mentioned already, but here's a slightly better explanation. One of MySQL's major advantages over other free medium-to-lightweight (such as pgsql) is that MySQL has been available for the win32 platform for a very long period of time (if you are about to mention firebird, take a look here). This enabled developers to install their webserver of choice (apache) with some cool script mod (php) alongside a database well suited for small to medium web projects (mysql). So if you are a supporter of (F)OSS, then you better not flame people who use MySQL on win32, because that is one of the reasons why MySQL is so popular today.
I'm doing an audit of a 2000 machine and discover that it appears to have MySQL installed and is running a service for it. Which weirded me out, because I DEFINITELY don't run MySQL, I'm a POSTGRES guy.
It appears that some adware that had dropped itself on the machine had downloaded and installed it for me (one of my users is an idiot).
THEN the worm was able to load itself onto my machine.
Make sure to check all your machines, not just the ones that should have SQL running on them.
3306 is the default port for MySQL, and the worm tries to use this port.
* If you need remote access to MySQL from within the same network, keep 3306 closed off at the firewall. And it won't hurt to use another port even so.
* If you do need to access a MySQL server from outside the same network, then you should definitely use something besides 3306.
* If you don't need to access MySQL remotely at all, then run mysqld with --skip-networking.
Il n'y a pas de Planet B.
I find PostgreSQL to be quite easy to admin.
The large community argument is not really an advantage either - the MS-Windows community is MUCH larger than the Linux community, but I would not recommend any version of MS-Windows to even my worst enemy.
As for the toolset - to what are you referring?
Of course, Perl is much better at database support than PHP with its DBI:DBD combination from CPAN.
And everyone knows that anything you can do in PHP, you can do in Perl just as easily.
Been there, Done that, Sold the t-shirt to the next idiot in line
My linux box has been connected to the internet with a static IP and no firewall for around 6 months. I'm pretty sure it hasn't been rooted or zombied (no unusual network access, no ports open that shouldn't be when I nmap it, all files that should be there are there). I get around two attempts every second to connect to my SMB server, and every so often someone tries a dictionary attack, in which case I complain to their ISP. I've also had a couple of dictionary attacks on my ssh server. None of these got through, for the simple reason that I don't use weak passwords. I'm not sure how you're defining non-trivial, but I have a reasonable number of services running here. I keep everything updated, use long passwords, and don't have any problems. And I don't see why others can't do the same.
I am trolling
Are there that many installations of MySQL on Windows? Usually, worms will target the most common installations, and up until this moment, I don't think I even knew MySQL was working on Windows. Are the flaws this thing uses to spread (if there's something beyond bad passwords) specific to the Windows port? I would be much more concerned if this thing was targeted at Linux or was cross-platform. I guess MySQL should be proud that they're ubiquitous enough to host this sort of attack.
Why would you allow port 3306 outbound to the internet?
Why is is that proper egress filtering is not being mentioned? Everyone talks about "filtering" but forgets that it's both directions that you need to check.
Did you read the SANS description of the problem !!!!
...
... ...
The cracker have to find the password of the administrator of the database (by brute force with a dictionary).
Then mysql must be run with administrator privileges.
Then the cracker copy his application in the database.
Finally it use sql function to copu the application (a scanner to infect other pc) in the filesystem and execute it.
? Where is the mysql worm ?
SANS resume of the issue:
"This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week "root" account."
SANS solution: set a strong password for the root account. Who the hell will open the mysql server to the internet with a root password as "adminpwd" and then wonder why he is infected
Just a side note:
some of the infected pc had windows xp sp2 with firewall policies activated
Does windows firewall let everyone connect to your box by default ? with database, web servers
well switch firewall appli or better OS , mysql cannot help you
Alban Browaeys
D'oh! Didn't realize I had it open. At least I'm on Linux and don't have a blatantly obvious root password. PostgreSQL installed with IP off by default; I guess MySQL didn't. I don't even rememeber why MySQL's installed...some php toy I guess. PostreSQL and MSSQL ports are already blocked even though I don't have MSSQL.
Time to update the firewall (dedicated and local), MySQL config and revisit password strength. Maybe I should finally go to a deny by default policy....
The article on the SANS site states:
A long list of passwords is included with the bot, and the bot will brute force the password.
Does anyone know of a site that has posted this list? I believe my password is sufficiently secure, but it would be nice to have some idea of the scope of the character combinations that this bot tries.
Why are there two administrator accounts, admin and root? I'm trying to find something in the docs (I was at http://dev.mysql.com/doc/mysql/en/default-privileg es.html already). Can someone point out the right place in the docs, or explain it in his own words?
Today I got up, took a shit, showered, drove to work, ate breakfast, then proceeded to fix bugs until lunch. I ate a turkey sandwhich to show that I am trying to lose a little weight and then went back to work.
So what I'm saying is what the fuck does your post have to do with the price of rice in China? Probably about as much as it has to do with the MySQL exploit listed in the post.
... for running a Windows OS. Kudos to the virus/work/trojan writers for taking the time to get Microsofties out of my way on the internet :)
When MSSQL had the problem, people complained that it was caused by more badly written Microsoft software.
Now when MySql has the same problem, is it the developers of MySql who we should blame? No, now it's Microsoft's fault for not writing a better OS for MySql!
How convenient...so, isn't anyone going to take a shot at the people actually exploiting the problem? Or, is it Microsoft's fault for creating the culture that influenced them, too?
Does this apply to people running localhost servers?
1-Crawl 2-Cnfg 3-ATF 4-Exit ?
http://shit.slashdot.org/article.pl?sid=05/01/27/1 546222
Don't worry, mate. We all feel that way for the first time. G'day.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
OK, if you are not an Aussie, then you won't get it. I only got it after I reread the entire post when I saw the "g'day" and "mate" which seemed to not belong there. It made my day! :) If you still don't get it, here's a hint. G'day, mates! :)
We've gotten a lot of flak over PostgreSQL's restriction on not installing under user accounts with admin privileges. A lot of "Why can't I install as Administrator" complaints. A LOT.
... and hopefully MySQL AB will learn that it's worth putting up with a few user complaints for widespread security.
The MySQL worm writers have just proven our point dramatically
Josh Berkus
PostgreSQL Project
Suposedly this is a "zero day attack." Which means, an attack on the same day the exploit is made public - January 27th,2005. THIS IS NOT TRUE! I gave access to my server to a friend as a favor. He provides my server with colocation services so I thought it was only fair to let him add a web page to it. I thought he knew what he was doing. Well, he added his an IP and his site but did not secure the new IP in the firewall. OOOOPPPPPPSSSSSS!! OK my bad - I counted on the firewall to protect me. OOOOPPPPPPSSSSSS!! The server was infected on the January 18th, 2005 in nearly the exact same method that is described for this "MySQL worm." It does have few differances, but it is the same thing. It is probably an earlier version. Long story short - I know the name of the hacker that made this worm. This January 27th worm is not the first version of this worm.