Slashdot Mirror
Worm Hits Windows Machines Running MySQL
UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a
rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."
What is the SANS institute?
The SANS (SysAdmin, Audit, Network, Security) Institute provides information security training and certification. For more information, visit www.sans.org
What's an SA account?
The system administrator (SA) account is similar to the DBO except it is of the entire server. It has the same access and permissions as the DBO on all the databases in the server.
DBO account???
The DBO User Account The database owner (DBO) is the administrator for the database. It has full access to all operations and rights.
SQL Snake is an Internet worm, that scans for open Microsoft SQL 7 (MSSQL) and 2000 servers - which run on TCP Port 1433 by default. The worm attempts to log into the System Administrator (SA) account with no password. If successful, the worm downloads and hides some files and grabs system configuration and account names.
Before the MySQL bashers start, it should be noted that this is not a problem with MySQL.
From the article:
This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:
Strong Password: Select a strong password, in particular for the 'root' account.
Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.
A hole in a program that communicates to the database and is accessable from the outside world would be a much more serious flaw I would imagine.
Game! - Where the stick is mightier than the sword!
Don't laugh - it happens. MSSQL is 'spensive, and for an all-windows environment that needs a database - MySQL wins the prize.
/took your comment too seriously
Only because people don't know about Firebird.
Occam's razor is the blind faith in the natural selection of least resistance and in universal oversimplification. -- EF
Well, Apache, PHP and MySQL run just fine in Windows. Many people run Linux on servers, but Winows on Developer desktops (which then have Apache, php and mysql installed).
---- join dshield.org Distributed Intrusion Detec
Do you realize how much of a pain it was to get postgres working on Windows until fairly recently?
Come again?
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Actually we have seen this before with MySQL in the beginning of 2003:
SELECT INTO outfile was buggy up to 3.23.55
That doesn't change the fact that there are flaws in MySQL that need to be fixed.
My test server was compromised at 18:50 yesterday.
e r/venc/data/w32.spybot.worm.html'>w32.Spybot.worm.
When I got back to my machine at 19:20, I cleaned it down and found out what was happening.
All firewall logs etc and have archived the executable and dll files dropped.
One into the mysql data folder (app_result.dll), and the executable spoolcll.exe was dropped into windows.
Only now that I've gone into the archive folder has Norton picked it up and archived it (it had shutdown/ran the QConsole.exe NAV application to ensure Norton didn't find it, or it just wasn't in the definitions yesterday).
Its been detected as a href='http://securityresponse.symantec.com/avcent
liqbase
What is going to soak up more of the Internet's bandwidth ? A MySQL worm port scanning every IP in existance, or a gigantic mob of Slashdotters flaming Microsoft because it only affects Windows machines ? And will either of them even come close to breaking the current record held by BitTorrent Porn ?
For the stirring conclusion, stay tuned to Netcraft: As the Internet turns...
--LordPixie
I wonder why Microsoft doesn't just decide to build a new OS from scratch that will only run its own software and be very limited but only do one thing good. It doesn't surprise me everytime an exploit appears for programs or OS's nowadays since no one tries to make their stuff secure. Even OpenBSD doesn't do enough. They need to start with more limits and be less user friendly when you are doing something like database software.
Just a few minutes ago, Sygate Personal Firewall allerted me to several portscans on my system.
I am running mySQL 4.0.x...
I guess it's time to see what's going on.
I do keep all ports closed, all mySQL passwords are secure, no remote access to mySQL. It's just for dev purposes.
Not sure if there is a connection, but I'm going to look into it.
In linux by default in a lot of distributions being able to connect from network is disabled in mysql, or sets root password as php password, so the risk of that kind of worm (well, for systems that don't have even a basic firewall configured) is pretty low.
Man if I had known that this software was vulnerable to worms I would never have bought it.
Exactly. There are something like seven developer systems running Windows that have MySQL and a web server on them for webapp development in the section I work for. Then, later, the webapp gets uploaded to a Solaris machine where the users actually use it.
I also have MySQL on my home Windows machine, since that's what my hosting provider offers. So I do some basic testing on Apache on Windows with MySQL as the database backend.
You are in a maze of twisty little relative jumps, all alike.
I use mysql at the web shop I work for. The reason is that we're in the process of moving a legacy ASP application to LAMP, and running both PHP and ASP on the same box was SUPPOSED to be a timesaver by smoothing over the transition. I was against this idea from the beginning, arguing that mysql and php on windows were a underdeveloped compared to the linux/unix versions. Now I have a nice 'I told you so' that the managers can understand.
Does this mean MySQL is considered a real DB now?
For both of these, there are exceptional requirements that can negate these general rules, but anyone who has these requirements should know better than to not take exceptional measures to protect the server.
99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries across the network to the database server.
Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306. I know on most systems, its probably the default, but in almost all of the cases, its completely unnecessary.
And also, validate your input !! Don't just assume that whatever is passed on the URI field of a browser, is going to be correct. Check it. Then check it again.
Ok folks. This is a bot, and it uses weak root passwords to gain entry to MySQL. From there, it loads a BLOB in a table with a payload DLL, which it then writes to disk and loads as a MySQL UDF. The UDF is called, which creates the bot and the system is compromised.
0 5/01/batten-the-hatches-mysql-targeting-bot-on-the -loose/
Damage appears to be low as it is more spyware than anything, and you are only at risk if you A) Have not firewalled the MySQL Port, B) Have a root account that is allowed to login from anywhere, not just localhost, and C) Have a weak root password.
So, the fix is this:
A) Firewall port 3306
B) Remove the root@% account, only allow root@localhost
C) Set a strong password
I have more info at http://www.openwin.org/mike/index.php/archives/20
Flaws such as letting people install it that are clueless enough to put it on Internet connected machines without setting passwords for administrative accounts ?
That'll be a tough one to patch...
May contain traces of nut.
Made from the freshest electrons.
Open the Administrative Tools/Services app.
Find the "Event Monitor" service.
Open the Properties for this service.
You cannot pause or stop this service, so set the General/Startup Type to Disabled.
On the Recovery tab, set all 3 failure actions to Take No Actions.
Reboot.
Since the service didn't start, spoolcll.exe is not running.
Delete it (or whatever).
But, do not delete the service, as its existence will prevent new copies of the virus from activating.
Well, I'm pretty sure I've got that port blocked already, but . . .
I stood up MySQL on a Linux box and on a Win2k box to show that, unlike MSSQL, MySQL ran on more than one platform. One database could be deployed to both platforms with the ability to keep the application running even if one goes down. Instead of having the app be entirely offline, you can bring the other over very quickly. Did this just after the first MSSQL worm to show that there are alternatives and that entire sites don't have to go down because of one bug. Now we're working on deploying some Linux clusters.
You must be the change you wish to see in the world - Ghandi
90% of tasks can be handled by the free MSDE install.. there's a 2GB limit, but a lot of tasks simply don't need that kind of size.
MySql is expensive too (300 per client, unless you want to GPL all your software).
In fairness, I would generalize your statement to:
.* to a hostile network with any non-trivial set of services running and no firewall, and it is going to have problems.
Don't connect ANY computer to the Internet, or any other hostile network, without a firewall.
Now, you can argue that, in the case of some operating systems, the firewall built into the OS, when properly configured, is enough.
You can also argue that a firewall should be a firewall, and a firewall ONLY, and that any other services should be provided by another machine BEHIND the firewall.
And depending upon the circumstances, either argument can win.
However, if you think in terms of "First the firewall, THEN the services", you will be miles ahead.
Connecting a Linux box, or a *BSD box, or a Mac, or an AS/400, or
The problem here is that the people who set up the MySQL servers on these boxes did not insure they were firewalled - this could have happened just as easily to a Linux box with a similarly bad setup.
www.eFax.com are spammers
Nice try, but I you only took in a minor part of the equation, and so you fail
While it's true, the worm could probably intrude a *nix mySQL server that was open to the internet with a default password of ''... intrusion is only part of the game plan. The payload is the important part
In this case, I doubt that installing the exe on a *nix box is going to do much good. Even if the writer were to create a *nix specific script for the payload, I'm pretty sure it would be given the mysql uid/gid, and probably wouldn't be able to wreak havoc on a *nix-based system.
How does the installer do this, considering that root password is stored in hashed format, and thus should be theoretically unviewable ? Does the installer brute-force it, or does MySQL accept passwords in their hashed form, or does the installer simply ask the root password and then verify it ?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Non-Windows installations are not vulnerible.
Good lord, are you kidding? I would assume any reasonable organization that was accessing their database over a network would keep the webserver on a DMZ and the database server behind a firewall that's tightened up and only allows access to the database from the DMZ. Isn't this, uh, kinda obvious? And, of course, if the database and the webserver are on the same box, *why* is remote access enabled at all?
However - many developers I know believe that dev machines don't merit the same kind of hardening as production machines. "Hey! We're behind the firewall, we're safe!"
I'm not justifying what they're doing, but if they're behind a firewall then shouldn't they be safe from this worm? Surely the people getting infected are the people with MySQL ports open directly on the int0rweb *and* no hardening.
Maybe this'll serve as a wake-up call.
True!
We've got the source code. Where's the hole? And, more important from the OSS perspective, where's the patch? And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?
--
make install -not war
So, having RTFA I'm not even slightly concerned. I have mysql running on windows, but since the exploit this thing uses requires a)straight up access vis the internet (eg, no firewall) and b) a brute force atack on the root password, I feel pretty safe. As should anyone else who's behind a firewall and who's root mysql password isn't '12345'....
"City hall" in German is "Rathaus" Kinda explains a few things......
"the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password."
This makes MySQL look about as vulnerable as ssh.
The only reason I left it alone in the old PHPTriad package was that was how MySQL themselves ship the setup. The official MYSQL binaries have (unless it's changed very recently) *no* password on the root account unless you deliberately go and change it.
Even today, I get constant complaints because I secure the root account, even though I ask them to supply the password.
The Glass is Too Big: My Take on Things
This is from MySQL 3.23.58 on LinuxSo, yes it is case INsensitive. (But I can't really do anything to prove your sanity)
Linux passwords are scrambled, but the root user can read the scrambled password file. The first part of the scrambled password ($1$, eight letters/digits, $) is the "salt". The same plaintext password and the same salt will always produce the same scrambled password. The password scrambling algorithm is a standard C library function, so almost every programme uses it, not just the login validator.
/etc/shadow into a .htpasswd {apache password file; used to password-protect directories} or something similar, it'll Just Work.
.htpasswd file when it is installed, and it uses root's UNIX password. Note you still have to supply PHPMyAdmin with a MySQL username and password. By default, MySQL has a user called "root" with no password who is only allowed to login locally. This is considered secure enough for most applications.
Upshot: if you copy a scrambled password from one user to another, or out of
MySQL actually uses a different password hashing algorithm, unless you tweaked the source, but I think the parent is talking about PHPMyAdmin. This creates a standard
NB: it's generally a very bad idea to use the same password for login and database. One dodgy web hosting company I have experienced actually did this. The MySQL username and password have to be in your user directory somewhere, in plaintext, and they have to be world-readable so the Apache daemon can see them. Upshot: any user can see any other user's database username and password. {This is why the root/no password combination isn't so insecure as it looks.} Ordinarily, the PHP {or Perl or Python} interpreter gets them first, and the user only ever sees the output from the interpreter; but you can pay for an account with the same company, determine the directory structure reasonably easily, and use a simple PHP, Perl, Python or Bash script to traverse other users' directories looking for passwords. If the database username and password is the same as the UNIX password then you can have much fun, since these passwords are also good for FTP, POP3 and SSH.
Je fume. Tu fumes. Nous fûmes!
Does it mean that MySQL is now officially "ready for the desktop"? Hopefully, the Linux version will be next.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Read the article. It's not exploting a security hole in MySQL. It's exploiting MySQL installations that:
a) Are not firewalled to the world (who'd make a DB accessible directly to the Internet?)
b) Allow root/admin connections from the outside.
c) Have weak root/admin passwords.
You can chalk this one up to careless admins - something I'm sure PostgreSQL is not immune to either.
No need to flame people who use MySQL on win32. This has been briefly mentioned already, but here's a slightly better explanation. One of MySQL's major advantages over other free medium-to-lightweight (such as pgsql) is that MySQL has been available for the win32 platform for a very long period of time (if you are about to mention firebird, take a look here). This enabled developers to install their webserver of choice (apache) with some cool script mod (php) alongside a database well suited for small to medium web projects (mysql). So if you are a supporter of (F)OSS, then you better not flame people who use MySQL on win32, because that is one of the reasons why MySQL is so popular today.
You can chalk this one up to careless admins - something I'm sure PostgreSQL is not immune to either.
Nothing is. Postgres folk can cry all they want, and so can MySQL, mSQL, Oracle, Informix, Sybase, Firebird, etc. It makes no difference. If you have no password, you can get into it.
Amazes me sometimes the rabidness of the db crowd. It's a database, folks. It stores data. It's not an AI.
-What have you contributed lately?
Let me make sure that my understanding is aligned with the Slashbot collective.
When a clueless admin doesn't secure Windows, it's Windows' fault. But when a clueless admin doesn't secure an OSS application, it's the admin's fault.
Yes, you've got the drill down pat:
Whenever another windows security crisis arises, immediately try to make light of it with sarcasm like what you've written above. The whole idea is to start a flamewar, and divert attention away from the real issues. Extra points if you can manage to insult linux, and linux users in the process.
You have done well.
you have to use 'binary' for case sensitive searches.
mysql> create table name ( name char(10) );
Query OK, 0 rows affected (0.05 sec)
mysql> insert into name ( name ) values ('Forrest');
Query OK, 1 row affected (0.00 sec)
mysql> select * from name where binary name = 'forrest';
Empty set (0.01 sec)
mysql> select * from name where binary name = 'Forrest';
+---------+
| name |
+---------+
| Forrest |
+---------+
Particulary for applications like MySQL Linux is the OS of choice.
I love that, they DO go together rather well.
I hope you see the irony of that =)
I can't believe some of those windows freaks that are still out there call themselves professionals.
Linux : by amateurs, for amateurs.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Although I am a postgresql advocate, I want to caution users that win32 is very different from UNIX. PostgreSQL doesn't have a long track record on win32, merely a lengthy beta test. So, it's a great database, but stop short of assuming that PostgreSQL's legendary reliability was translated perfectly to win32. After a few more months of real-world testing, you can be much more sure.
Social scientists are inspired by theories; scientists are humbled by facts.
You can chalk this one up to careless admins
:)
Absolutely. And that is where the blame belongs - with a small nod that MySQL should not have remote admin on by default.
Of course, if this had been a MS product then it would be all MS's fault and the admins would not be to blame...
--> Fight tyranny and repression.... read
It would be nice if application developers made their apps database agnostic, but it rarely seems to happen.
That might be fine if your application uses only the features supported by all databases.
If you want more, you end up with a huge mess of bug-prone client side database operations. To ensure consistency of the data you have to do a HUGE amount of client side work because some databases don't support check constraints or constraint triggers. And all the other features it's the same deal: a huge amount of client-side code to accomplish something already available in most databases.
So why would the application programmer spend all of their time maintaining all those database layers?
It works for some applications, but for others it can be an exercise in futility.
Social scientists are inspired by theories; scientists are humbled by facts.
D'oh! Didn't realize I had it open. At least I'm on Linux and don't have a blatantly obvious root password. PostgreSQL installed with IP off by default; I guess MySQL didn't. I don't even rememeber why MySQL's installed...some php toy I guess. PostreSQL and MSSQL ports are already blocked even though I don't have MSSQL.
Time to update the firewall (dedicated and local), MySQL config and revisit password strength. Maybe I should finally go to a deny by default policy....
Most serious people deploy PostgreSQL on Windows, if they're deploying anything on it at all.
Solid reliability, transaction support, and a good security track record. Probably the best thing short of switching to an AS/400.
You are a chewley's gum representitive? and you're here stiring up all this commontion for what? To sell more gum?
Get outta here.
http://use.perl.org