Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySQL Servers Hijacked With Malware To Perform DDoS Attacks (symantec.com)

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes with news of a malware campaign using hijacked MySQL servers to launch DDoS attacks. Symantec reports: "Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks against other targets. According to Symantec telemetry, the majority of the compromised servers are in India, followed by China, Brazil and the Netherlands, and are being used to launch attacks against an US hosting provider and a Chinese IP address."

14 of 55 comments (clear)

  1. Windows Servers hijacked with Malware .. by nickweller · · Score: 2

    "The attackers initially injected a malicious user-defined function (Downloader.Chikdos) into servers" ref

    How does this trijan get executed on the host system.

    1. Re:Windows Servers hijacked with Malware .. by Gr8Apes · · Score: 2

      Apparently via some other method. For Linux, the Chikdos attack is via an ssh login bruteforce attack.... gee, if I can login via ssh and have root, I've already pwned the server, MySQL would be my toy, as would everything else on the machine.

      --
      The cesspool just got a check and balance.
    2. Re:Windows Servers hijacked with Malware .. by Aaden42 · · Score: 2

      Here’s the thing about VPN though... Explain what secret sauce protects a VPN against a brute force password attack that isn’t also applicable to SSH. Yes, most VPN appliances have decent lockout policies out of box, but you can do the exact same with SSH, fail2ban, etc.

      If there was a protocol exploit where SSH allowed an attacker in without credentials, then yes sticking a tunneling protocol in front to protect it has value. When you’re talking credential attacks, it doesn’t matter what enpoint they’re brute forcing against. They either get the right password or they don’t. Or better yet, you disabled password based auth completely and they’re trying to guess the right 8192-bit key which probably isn’t going to happen before the hardrives in the server grind themselves to metal shavings anyways. (VPN or SSH doesn’t make a difference there either).

    3. Re:Windows Servers hijacked with Malware .. by MachineShedFred · · Score: 2

      You are describing a bastion host; and yes, it's a good practice to use. Well done!

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    4. Re:Windows Servers hijacked with Malware .. by Anonymous Coward · · Score: 3, Interesting

      Don't forget SSHGuard or Fail2Ban so someone guessing passwords gets the ball-gag quickly. It also doesn't hurt to block geographic ranges one doesn't use, nor come from. For example, I use a VPN service (mainly as an outer layer of protection against unscrupulous Wi-Fi APs as well as Verizon's identifying tags on HTML traffic that are added.) Any connections that are either not from where I work or that VPN service I use are dropped via iptables (if I let them be dropped by TCP wrappers, the attacker would know a machine actually got the requests.)

      Bastion hosts are wise. I have mine as a VM, so I can roll it back to the state after patches/config changes were put on, every so often. Having it RSA key only is also wise... makes password guessing a non-issue. I also have root blocked, since attackers know that user, but generally not the user I use (yes, security through obscurity... but it is one additional thing an attacker has to hunt for, in order to gain access.) As a backup, I use Google's Authenticator, so if I don't have a session with a RSA key, I can use the Google Authenticator (or similar TKIP app) as 2FA.

  2. Re:Only infects Windows MySQL servers? by JustAnotherOldGuy · · Score: 2

    Seeing as how MySQL is the second most popular database system in the world, it might be more than that.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  3. Re:Only infects Windows MySQL servers? by Z00L00K · · Score: 2

    And putting a database exposed to the net for addresses other than the intended clients is the second fault. If you have only local client software then the database shouldn't be exposed at all.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  4. Is there anything to read without disabling JS? by Anonymous Coward · · Score: 2, Interesting

    Is there anything I can read about this without disabling NoScript on that bloody Symantec travesty of a website?

  5. They hijack database servers and use 'em for DDoS? by Ungrounded+Lightning · · Score: 4, Funny

    They hijack database servers and use them for DDoS attacks?

    That's like breaking into a bank and using its postage meter to send paper spam.

    What's WRONG with these people?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  6. Re:Why? by xxxJonBoyxxx · · Score: 4, Funny

    >> Why is your MySQL server directly on the internet?

    Did you read the part about the attacks being largely from India?

    These are the people who flood forums with questions like, "My company just got a contract to do IT for [huge US corporation] and they use something called MySQL to hold all their online customers. My boss told me I need to make MySQL 'PCI compliant' this weekend but I've never used it before. Can you please tell me what PCI is and what I should type in MySQL to turn on PCI?"

  7. Re:Only infects Windows MySQL servers? by Major+Blud · · Score: 4, Informative

    AC is right, this only seems to infect MySQL running on Windows systems:

    http://www.symantec.com/connec...

    It modifies registry entries that fool with Termial Services and other nasty stuff. You should be safe on Linux/BSD.

    --
    If you post as Anonymous Coward, don't expect a reply.
  8. Re:Why? by U2xhc2hkb3QgU3Vja3M · · Score: 2

    Fools. Screw PCI and use ISA instead, it's a lot cheaper.

    Fight for your bitcoins!

  9. Re:Only infects Windows MySQL servers? by budgenator · · Score: 2

    "The Linux version was installed onto computers that had been compromised by a Secure Shell (SSH) dictionary attack."
    One would hope that only a few sandbox machines and almost no production machines were affected, but weak passwords are more prevalent that we would like to admit.

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds
  10. Re:Only infects Windows MySQL servers? by Culture20 · · Score: 2

    And most of the Linux ones have their firewalls blocking 3306. The trouble with WAMP configs is the installers often open 3306 by default on the Windows machines' firewalls, and they also don't auto-update for security patches. A double-whammy.