Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Hits Windows Machines Running MySQL

Posted by michael on from the batten-the-ports-prepare-for-heavy-weather dept.

UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

7 of 367 comments (clear)

  1. Acronym madness clarification. by sanityspeech · · Score: 5, Informative

    What is the SANS institute?

    The SANS (SysAdmin, Audit, Network, Security) Institute provides information security training and certification. For more information, visit www.sans.org

    What's an SA account?

    The system administrator (SA) account is similar to the DBO except it is of the entire server. It has the same access and permissions as the DBO on all the databases in the server.

    DBO account???

    The DBO User Account The database owner (DBO) is the administrator for the database. It has full access to all operations and rights.

    SQL Snake is an Internet worm, that scans for open Microsoft SQL 7 (MSSQL) and 2000 servers - which run on TCP Port 1433 by default. The worm attempts to log into the System Administrator (SA) account with no password. If successful, the worm downloads and hides some files and grabs system configuration and account names.

    Before the MySQL bashers start, it should be noted that this is not a problem with MySQL.

    From the article:

    This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:

    Strong Password: Select a strong password, in particular for the 'root' account.
    Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
    Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.

  2. I don't get it by gowen · · Score: 5, Interesting
    I don't understand the sans report. First it says :
    The bot uses the "MySQL UDF Dynamic Library Exploit".
    before adding
    This bot does not use any vulnerability in mysql.


    Come again?
    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  3. I got hit by LiquidCoooled · · Score: 5, Informative

    My test server was compromised at 18:50 yesterday.
    When I got back to my machine at 19:20, I cleaned it down and found out what was happening.

    All firewall logs etc and have archived the executable and dll files dropped.

    One into the mysql data folder (app_result.dll), and the executable spoolcll.exe was dropped into windows.
    Only now that I've gone into the archive folder has Norton picked it up and archived it (it had shutdown/ran the QConsole.exe NAV application to ensure Norton didn't find it, or it just wasn't in the definitions yesterday).
    Its been detected as a href='http://securityresponse.symantec.com/avcente r/venc/data/w32.spybot.worm.html'>w32.Spybot.worm.

    --
    liqbase :: faster than paper
  4. Don't keep the port open! by hacker · · Score: 5, Informative

    99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries across the network to the database server.

    Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306. I know on most systems, its probably the default, but in almost all of the cases, its completely unnecessary.

    And also, validate your input !! Don't just assume that whatever is passed on the URI field of a browser, is going to be correct. Check it. Then check it again.

  5. Some info by Squeebee · · Score: 5, Informative

    Ok folks. This is a bot, and it uses weak root passwords to gain entry to MySQL. From there, it loads a BLOB in a table with a payload DLL, which it then writes to disk and loads as a MySQL UDF. The UDF is called, which creates the bot and the system is compromised.

    Damage appears to be low as it is more spyware than anything, and you are only at risk if you A) Have not firewalled the MySQL Port, B) Have a root account that is allowed to login from anywhere, not just localhost, and C) Have a weak root password.

    So, the fix is this:

    A) Firewall port 3306
    B) Remove the root@% account, only allow root@localhost
    C) Set a strong password

    I have more info at http://www.openwin.org/mike/index.php/archives/200 5/01/batten-the-hatches-mysql-targeting-bot-on-the -loose/

  6. temporary fix by greechneb · · Score: 5, Informative


    Open the Administrative Tools/Services app.
    Find the "Event Monitor" service.
    Open the Properties for this service.
    You cannot pause or stop this service, so set the General/Startup Type to Disabled.
    On the Recovery tab, set all 3 failure actions to Take No Actions.

    Reboot.

    Since the service didn't start, spoolcll.exe is not running.
    Delete it (or whatever).

    But, do not delete the service, as its existence will prevent new copies of the virus from activating.

  7. Re:Ok, this is strange by stanleypane · · Score: 5, Funny

    You seem very concerned. Better submit that last Slashdot comment before checking it out.