MySQL Servers Hijacked With Malware To Perform DDoS Attacks (symantec.com)

← Back to Stories (view on slashdot.org)

MySQL Servers Hijacked With Malware To Perform DDoS Attacks (symantec.com)

Posted by samzenpus on Wednesday October 28, 2015 @06:37AM from the protect-ya-neck dept.

An anonymous reader writes with news of a malware campaign using hijacked MySQL servers to launch DDoS attacks. Symantec reports: "Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks against other targets. According to Symantec telemetry, the majority of the compromised servers are in India, followed by China, Brazil and the Netherlands, and are being used to launch attacks against an US hosting provider and a Chinese IP address."

37 of 55 comments (clear)

Min score:

Reason:

Sort:

Windows Servers hijacked with Malware .. by nickweller · 2015-10-28 06:53 · Score: 2

"The attackers initially injected a malicious user-defined function (Downloader.Chikdos) into servers" ref

How does this trijan get executed on the host system.
1. Re:Windows Servers hijacked with Malware .. by Gr8Apes · 2015-10-28 06:57 · Score: 2
  
  Apparently via some other method. For Linux, the Chikdos attack is via an ssh login bruteforce attack.... gee, if I can login via ssh and have root, I've already pwned the server, MySQL would be my toy, as would everything else on the machine.
  
  --
  The cesspool just got a check and balance.
2. Re:Windows Servers hijacked with Malware .. by Aaden42 · 2015-10-28 07:16 · Score: 2
  
  Here’s the thing about VPN though... Explain what secret sauce protects a VPN against a brute force password attack that isn’t also applicable to SSH. Yes, most VPN appliances have decent lockout policies out of box, but you can do the exact same with SSH, fail2ban, etc.
  If there was a protocol exploit where SSH allowed an attacker in without credentials, then yes sticking a tunneling protocol in front to protect it has value. When you’re talking credential attacks, it doesn’t matter what enpoint they’re brute forcing against. They either get the right password or they don’t. Or better yet, you disabled password based auth completely and they’re trying to guess the right 8192-bit key which probably isn’t going to happen before the hardrives in the server grind themselves to metal shavings anyways. (VPN or SSH doesn’t make a difference there either).
3. Re:Windows Servers hijacked with Malware .. by The-Ixian · 2015-10-28 07:18 · Score: 1
  
  I remove access to SSH from all hosts.
  I then set up an SSH server with all authentication methods disallowed except certificate authentication.
  The host is in a DMZ with ssh open to internal hosts, it also allows ssh agent forwarding and tunneling. This makes for a great "poor man's" vpn server when the actual VPN is down or has a problem.
  This has proven to be a pretty secure system.
  
  --
  My eyes reflect the stars and a smile lights up my face.
4. Re:Windows Servers hijacked with Malware .. by Bert64 · 2015-10-28 07:32 · Score: 1
  
  Make sure you use the host as a tunnel rather than a jump off point (ie you dont login to an interactive shell and then start a new instance of ssh to connect to internal boxes)... Otherwise if someone owns the jump box they can quickly get everything.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
5. Re:Windows Servers hijacked with Malware .. by MachineShedFred · 2015-10-28 08:19 · Score: 1
  
  With any VPN worth using, you can use two-factor authentication.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
6. Re:Windows Servers hijacked with Malware .. by MachineShedFred · 2015-10-28 08:21 · Score: 2
  
  You are describing a bastion host; and yes, it's a good practice to use. Well done!
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
7. Re:Windows Servers hijacked with Malware .. by Aaden42 · 2015-10-28 08:25 · Score: 1
  
  With any pamd implementation worth using, you can use two-factor authentication.
  Setting up Google Authenticator / Authy style two-factor is fairly straightforward in pamd for SSH logins. Not special sauce for the VPN, just poorly configured SSH. No doubt the VPN's more likely to have a nice shiny checkbox to enable it versus hacking pamd config files, but a well-configured VPN is still not magically more secure than a well-configured SSHd.
8. Re:Windows Servers hijacked with Malware .. by Anonymous Coward · 2015-10-28 08:51 · Score: 3, Interesting
  
  Don't forget SSHGuard or Fail2Ban so someone guessing passwords gets the ball-gag quickly. It also doesn't hurt to block geographic ranges one doesn't use, nor come from. For example, I use a VPN service (mainly as an outer layer of protection against unscrupulous Wi-Fi APs as well as Verizon's identifying tags on HTML traffic that are added.) Any connections that are either not from where I work or that VPN service I use are dropped via iptables (if I let them be dropped by TCP wrappers, the attacker would know a machine actually got the requests.)
  Bastion hosts are wise. I have mine as a VM, so I can roll it back to the state after patches/config changes were put on, every so often. Having it RSA key only is also wise... makes password guessing a non-issue. I also have root blocked, since attackers know that user, but generally not the user I use (yes, security through obscurity... but it is one additional thing an attacker has to hunt for, in order to gain access.) As a backup, I use Google's Authenticator, so if I don't have a session with a RSA key, I can use the Google Authenticator (or similar TKIP app) as 2FA.
9. Re:Windows Servers hijacked with Malware .. by interval1066 · 2015-10-28 12:47 · Score: 1
  
  This is the only way to go.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
Re:Only infects Windows MySQL servers? by JustAnotherOldGuy · 2015-10-28 06:54 · Score: 2

Seeing as how MySQL is the second most popular database system in the world, it might be more than that.

--
Just cruising through this digital world at 33 1/3 rpm...
Re:Only infects Windows MySQL servers? by Z00L00K · 2015-10-28 06:54 · Score: 2

And putting a database exposed to the net for addresses other than the intended clients is the second fault. If you have only local client software then the database shouldn't be exposed at all.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Is there anything to read without disabling JS? by Anonymous Coward · 2015-10-28 06:54 · Score: 2, Interesting

Is there anything I can read about this without disabling NoScript on that bloody Symantec travesty of a website?
1. Re:Is there anything to read without disabling JS? by steveg · 2015-10-28 07:52 · Score: 1
  
  Argh. Got that right. After about ten seconds of "Loading your community website" I decided they didn't have anything I cared to see.
  
  --
  Ignorance killed the cat. Curiosity was framed.
Why? by ArsonSmith · 2015-10-28 07:04 · Score: 1

Why is your MySQL server directly on the internet?

--
Paying taxes to buy civilization is like paying a hooker to buy love.
1. Re:Why? by xxxJonBoyxxx · 2015-10-28 07:18 · Score: 4, Funny
  
  >> Why is your MySQL server directly on the internet?
  Did you read the part about the attacks being largely from India?
  These are the people who flood forums with questions like, "My company just got a contract to do IT for [huge US corporation] and they use something called MySQL to hold all their online customers. My boss told me I need to make MySQL 'PCI compliant' this weekend but I've never used it before. Can you please tell me what PCI is and what I should type in MySQL to turn on PCI?"
2. Re:Why? by The-Ixian · 2015-10-28 07:27 · Score: 1
  
  I was thinking the same thing....
  
  --
  My eyes reflect the stars and a smile lights up my face.
3. Re:Why? by StormReaver · 2015-10-28 07:31 · Score: 1
  
  Why is your MySQL server directly on the internet?
  The more important question is why the hell the compromised companies hadn't long ago fired the morons who are still using inline SQL. Using inline SQL is akin to a surgeon not wearing a mask. It's gross negligence.
4. Re:Why? by deKernel · 2015-10-28 07:48 · Score: 1
  
  You just made my day with that comment...thanks!
5. Re:Why? by U2xhc2hkb3QgU3Vja3M · 2015-10-28 08:24 · Score: 2
  
  Fools. Screw PCI and use ISA instead, it's a lot cheaper.
  Fight for your bitcoins!
6. Re:Why? by monkeyhybrid · 2015-10-28 08:32 · Score: 1
  
  You forgot the all too common, "reply quickly", from the end.
7. Re:Why? by phantomfive · 2015-10-28 08:34 · Score: 1
  
  That's one of the most controversial arguments around. The reason it's controversial is simple, all the options suck.
  
  ORMs suck in some situations.
  Stored procedures suck in some situations.
  Inline SQL suck situations.
  
  There's no really good, flexible way to access a database that works for all use cases.
  
  --
  "First they came for the slanderers and i said nothing."
8. Re:Why? by KGIII · 2015-10-28 10:29 · Score: 1
  
  I lend a hand on a few forums. It keeps me busy. When I see something like that, "Reply Quickly." I just ignore it. I don't do homework nor do I do your job for you. I'll help, if you show an interest in actually learning. I won't help if you were too lazy to use a search engine (for common terms, I can understand a beginner not knowing which keywords to use).
  
  --
  "So long and thanks for all the fish."
9. Re:Why? by nebosuke · 2015-10-28 12:39 · Score: 1
  
  No, there really isn't any excuse for using raw inline SQL given the existence and ubiquity of parameterized query APIs. They provide all of the flexibility of raw SQL but with guaranteed proper escaping of value text and thus no SQL injection vulnerability (bugs in the API implementation notwithstanding).
10. Re:Why? by phantomfive · 2015-10-28 12:41 · Score: 1
  
  If you consider parameterized query APIs to not be inline SQL, then you are right.
  
  --
  "First they came for the slanderers and i said nothing."
They hijack database servers and use 'em for DDoS? by Ungrounded+Lightning · 2015-10-28 07:05 · Score: 4, Funny

They hijack database servers and use them for DDoS attacks?
That's like breaking into a bank and using its postage meter to send paper spam.
What's WRONG with these people?

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Read the artcile by selectspec · 2015-10-28 07:17 · Score: 1

The hackers use SQL injection to insert a user-defined-function that downloads the malware. So, the developers must have been not protecting their strings from SQL injection.

--
Someone you trust is one of us.
Re:They hijack database servers and use 'em for DD by Aaden42 · 2015-10-28 07:20 · Score: 1

Not everybody’s data is interesting or valueable. If they’re not storing CC#’s or SSN’s, most attackers probably can’t monitize whatever they might find in the DB.
Their bandwidth (assuming an outbound DDoS) or their willingness to pay to keep their systems up (inbound DoS against the company’s other servers) is likely to be far more lucrative than trying to fence their data.
Re:Only infects Windows MySQL servers? by Major+Blud · 2015-10-28 07:45 · Score: 4, Informative

AC is right, this only seems to infect MySQL running on Windows systems:
http://www.symantec.com/connec...
It modifies registry entries that fool with Termial Services and other nasty stuff. You should be safe on Linux/BSD.

--
If you post as Anonymous Coward, don't expect a reply.
Re:What is this shit? by phantomfive · 2015-10-28 08:06 · Score: 1

The article addresses your questions:

In the latest Chikdos campaign that we observed, the attackers likely used an automated scanner or possibly a worm to compromise MySQL servers and install the UDF. However the exact infection vector has not been identified
Chikdos isn't an exploit, it's a tool that uses MySQL user-defined-functions to attack another server. Symantec picked up on the attacks using their telemetry.

This particular story isn't something to teach you how to be a better server admin (although it can, if you follow the advice in the article). It's a report about various things that are passing through cyberspace, and where they come from. If you're interested in that sort of thing, then you'll be interested in this article.

--
"First they came for the slanderers and i said nothing."
There is only a handful of cases, do not worry! by U2xhc2hkb3QgU3Vja3M · 2015-10-28 08:25 · Score: 1

Seriously, who the hell still uses MySQL on DOS servers?
Fight for your bitcoins!
Re:Only infects Windows MySQL servers? by budgenator · 2015-10-28 09:28 · Score: 2

"The Linux version was installed onto computers that had been compromised by a Secure Shell (SSH) dictionary attack."
One would hope that only a few sandbox machines and almost no production machines were affected, but weak passwords are more prevalent that we would like to admit.

--
Apocalypse Cancelled, Sorry, No Ticket Refunds
Re:Only infects Windows MySQL servers? by Culture20 · 2015-10-28 09:31 · Score: 2

And most of the Linux ones have their firewalls blocking 3306. The trouble with WAMP configs is the installers often open 3306 by default on the Windows machines' firewalls, and they also don't auto-update for security patches. A double-whammy.
Re:Only infects Windows MySQL servers? by Bengie · 2015-10-28 13:21 · Score: 1

Regardless of the local server's firewall, the network firewall should be blocking everything by default, especially for the servers.
Re:Only infects Windows MySQL servers? by Culture20 · 2015-10-28 15:26 · Score: 1

WAMP is usually installed on desktop/laptop computers instead of servers. Often as a developer's testbed. Unfortunately, also in less restrictive networks.
Re:Only infects Windows MySQL servers? by greenfruitsalad · 2015-10-29 02:17 · Score: 1

that's a nice chart you've found there. i found the ranking a little disconnected from reality but then i looked at the "ranking method" and felt satisfied i was right.
all is still well with the world, sqlite is still 10x more popular than all the competitors combined.
Re:Only infects Windows MySQL servers? by JustAnotherOldGuy · 2015-10-29 03:49 · Score: 1

all is still well with the world, sqlite is still 10x more popular than all the competitors combined.
"And artificial sweeteners were safe, WMDs were in Iraq and Anna Nicole married for love."

--
Just cruising through this digital world at 33 1/3 rpm...