Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySQL Servers Hijacked With Malware To Perform DDoS Attacks (symantec.com)

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes with news of a malware campaign using hijacked MySQL servers to launch DDoS attacks. Symantec reports: "Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks against other targets. According to Symantec telemetry, the majority of the compromised servers are in India, followed by China, Brazil and the Netherlands, and are being used to launch attacks against an US hosting provider and a Chinese IP address."

4 of 55 comments (clear)

  1. They hijack database servers and use 'em for DDoS? by Ungrounded+Lightning · · Score: 4, Funny

    They hijack database servers and use them for DDoS attacks?

    That's like breaking into a bank and using its postage meter to send paper spam.

    What's WRONG with these people?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  2. Re:Why? by xxxJonBoyxxx · · Score: 4, Funny

    >> Why is your MySQL server directly on the internet?

    Did you read the part about the attacks being largely from India?

    These are the people who flood forums with questions like, "My company just got a contract to do IT for [huge US corporation] and they use something called MySQL to hold all their online customers. My boss told me I need to make MySQL 'PCI compliant' this weekend but I've never used it before. Can you please tell me what PCI is and what I should type in MySQL to turn on PCI?"

  3. Re:Only infects Windows MySQL servers? by Major+Blud · · Score: 4, Informative

    AC is right, this only seems to infect MySQL running on Windows systems:

    http://www.symantec.com/connec...

    It modifies registry entries that fool with Termial Services and other nasty stuff. You should be safe on Linux/BSD.

    --
    If you post as Anonymous Coward, don't expect a reply.
  4. Re:Windows Servers hijacked with Malware .. by Anonymous Coward · · Score: 3, Interesting

    Don't forget SSHGuard or Fail2Ban so someone guessing passwords gets the ball-gag quickly. It also doesn't hurt to block geographic ranges one doesn't use, nor come from. For example, I use a VPN service (mainly as an outer layer of protection against unscrupulous Wi-Fi APs as well as Verizon's identifying tags on HTML traffic that are added.) Any connections that are either not from where I work or that VPN service I use are dropped via iptables (if I let them be dropped by TCP wrappers, the attacker would know a machine actually got the requests.)

    Bastion hosts are wise. I have mine as a VM, so I can roll it back to the state after patches/config changes were put on, every so often. Having it RSA key only is also wise... makes password guessing a non-issue. I also have root blocked, since attackers know that user, but generally not the user I use (yes, security through obscurity... but it is one additional thing an attacker has to hunt for, in order to gain access.) As a backup, I use Google's Authenticator, so if I don't have a session with a RSA key, I can use the Google Authenticator (or similar TKIP app) as 2FA.