Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Worm Hits Windows Machines Running MySQL

michael posted more than 9 years ago | from the batten-the-ports-prepare-for-heavy-weather dept.

Worms 367

UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

cancel ×

367 comments

Sorry! There are no comments related to the filter you selected.

Frist Psot (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11493070)

Can I make it? Is dream. ^^;;

Windows (-1, Troll)

CmdrGravy (645153) | more than 9 years ago | (#11493072)

Who'd use MySQL on Windows though ?

Re:Windows (4, Insightful)

TedCheshireAcad (311748) | more than 9 years ago | (#11493114)

Don't laugh - it happens. MSSQL is 'spensive, and for an all-windows environment that needs a database - MySQL wins the prize.

/took your comment too seriously

Re:Windows (3, Informative)

Directrix1 (157787) | more than 9 years ago | (#11493147)

Only because people don't know about Firebird.

Re:Windows (1)

the_mad_poster (640772) | more than 9 years ago | (#11493287)

Last time I looked at firebird I seem to recall having an issue with it not recognizing case, which wasn't a good thing.

Besides, MSSQL is fine if you have the money, and now that PostgreSQL is (finally) available as a native app on Windows, there's no reason to run MySQL anymore. I'm sure the MySQL fanboys will label that a troll, but unless all you need to do with your database is run a lot of SELECTs from your blog, MySQL is not a very good solution.

Re:Windows (1)

pr0c (604875) | more than 9 years ago | (#11493299)

and now postgres

Re:Windows (1)

nurb432 (527695) | more than 9 years ago | (#11493386)

Or the ones that dont know the native PostgreSQL for win32 is now out..

Re:Windows (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11493453)

What does a web browser have to do with anything?

Re:Windows (1)

daeley (126313) | more than 9 years ago | (#11493558)

Only because people don't know about Firebird.

Web browser, right? Wonder what ever happened to them... ;)

Re:Windows (1)

Malc (1751) | more than 9 years ago | (#11493398)

There's always PostgreSQL [postgresql.org] .

/continuing being too serious ;)

Re:Windows (3, Informative)

Tony Hoyle (11698) | more than 9 years ago | (#11493462)

90% of tasks can be handled by the free MSDE install.. there's a 2GB limit, but a lot of tasks simply don't need that kind of size.

MySql is expensive too (300 per client, unless you want to GPL all your software).

Re:Windows (1)

malcomvetter (851474) | more than 9 years ago | (#11493560)

Cheshire's right ... I personally use it in a MS environment where I just needed a DB & perl for a small home grown app. I, however, run it without allowing connections from anywhere but localhost.

Re:Windows (0, Redundant)

DanUK (676625) | more than 9 years ago | (#11493116)

lol @ MySQL on doze box

Re:Windows (1)

macaulay805 (823467) | more than 9 years ago | (#11493119)

Admins in an environment that denies them to use something else.

Re:Windows (1)

datadriven (699893) | more than 9 years ago | (#11493127)

Mostly web developers I think. I used to run the windows version of mysql before I moved my desktops to slackware.

Re:Windows (1)

greechneb (574646) | more than 9 years ago | (#11493131)

People who use windows for other things, and don't want to pay for the MSSQL license. You'd be suprised, there are several people I know who use this, just because they are lazy and cheap.

Re:Windows (3, Informative)

UnderAttack (311872) | more than 9 years ago | (#11493148)

Well, Apache, PHP and MySQL run just fine in Windows. Many people run Linux on servers, but Winows on Developer desktops (which then have Apache, php and mysql installed).

Re:Windows (3, Informative)

_xeno_ (155264) | more than 9 years ago | (#11493235)

Exactly. There are something like seven developer systems running Windows that have MySQL and a web server on them for webapp development in the section I work for. Then, later, the webapp gets uploaded to a Solaris machine where the users actually use it.

I also have MySQL on my home Windows machine, since that's what my hosting provider offers. So I do some basic testing on Apache on Windows with MySQL as the database backend.

Re:Windows (1)

Kick the Donkey (681009) | more than 9 years ago | (#11493369)

PHP: True cross-platform programming... ;)

Re:Windows (4, Informative)

gmuslera (3436) | more than 9 years ago | (#11493187)

I'll bet that the worm takes advantage of default installation of MySQL made by PHPTriad [sourceforge.net] or another "easy" way to install under windows mysql along with i.e. php and apache for this case

In linux by default in a lot of distributions being able to connect from network is disabled in mysql, or sets root password as php password, so the risk of that kind of worm (well, for systems that don't have even a basic firewall configured) is pretty low.

Re:Windows (2, Interesting)

ultranova (717540) | more than 9 years ago | (#11493534)

In linux by default in a lot of distributions being able to connect from network is disabled in mysql, or sets root password as php password,

How does the installer do this, considering that root password is stored in hashed format, and thus should be theoretically unviewable ? Does the installer brute-force it, or does MySQL accept passwords in their hashed form, or does the installer simply ask the root password and then verify it ?

Re:Windows (1)

edremy (36408) | more than 9 years ago | (#11493217)

Us. I just inherited our electronic portfolio system, which runs Apache/Tomcat/MySQL on Windows2000. We're mostly a Windows shop, and it runs fine. (Well, sorta fine, but I think that's mostly some problems with the portfolio, not A/T/M.)

Re:Windows (2, Informative)

weopenlatest (748393) | more than 9 years ago | (#11493250)

I use mysql at the web shop I work for. The reason is that we're in the process of moving a legacy ASP application to LAMP, and running both PHP and ASP on the same box was SUPPOSED to be a timesaver by smoothing over the transition. I was against this idea from the beginning, arguing that mysql and php on windows were a underdeveloped compared to the linux/unix versions. Now I have a nice 'I told you so' that the managers can understand.

Re:Windows (1)

Short Circuit (52384) | more than 9 years ago | (#11493487)

Er...have you read any of the other posts? Chances are, the worm takes advantage of a default configuration. (i.e. "password" as the password, network access enabled, etc.) Any decent admin would at least secure the installation.

And in the case it takes advantage of something like a buffer overflow, then so what? IIS has had a long, fruitful history of exploits. And it's been considered as "fully developed" for years. And you're going to use a single example as an I Told You So?!

Re:Windows (0)

daBass (56811) | more than 9 years ago | (#11493494)

Who'd use MySQL at all when there is a _really_ free alternative (BSD license) called Postgresql.

Now that it runs natively on Windows too, there is no reason to use MySQL anywhere anymore.

MySQL, you are the weakest referential integrity constraint, goodbye.

How Appropriate (-1)

Anonymous Coward | more than 9 years ago | (#11493079)

It's appropriate that the talk page for this was 404'ing for a while.

That's why... (0, Interesting)

Anonymous Coward | more than 9 years ago | (#11493086)

Most serious people deploy PostgreSQL on Windows, if they're deploying anything on it at all.

Solid reliability, transaction support, and a good security track record. Probably the best thing short of switching to an AS/400.

What? (2, Informative)

Anonymous Coward | more than 9 years ago | (#11493150)

Do you realize how much of a pain it was to get postgres working on Windows until fairly recently?

Re:That's why... (0)

greechneb (574646) | more than 9 years ago | (#11493178)

Any stats to back that up?

Re:That's why... (1)

jaseuk (217780) | more than 9 years ago | (#11493373)

I've used postgresql on windows.

If you've been given a MSSQL based ASP app, its usually straightforward to port to postgres, as they have a similar feature set for most typical web bsaed apps.

Jason.

HOLY SHIT - YOU'RE DUMB (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11493433)

How is the fact that you, one person [and actually, given the stupidity of your comment, I would argue that you're only half a person], use Postresql on Windows a statistic that backs up the original poster's claim?

Guess what Jason, you're really fucking stupid and you should commit suicide, today.

Re:That's why... (0)

Anonymous Coward | more than 9 years ago | (#11493283)

Every app that I've tested or checked out that used a non-MS sql database has used MySQL and I've checked out a lot of them. I have yet to see a windows app use postgre.

Re:That's why... (1)

Squeebee (719115) | more than 9 years ago | (#11493370)

And if they have a blank password and no firewall are they any more secure than a MySQL user?

well :) (1, Funny)

rd4tech (711615) | more than 9 years ago | (#11493087)

We have seen this happen with MSSQL before.

it was a news with a slamming facts in it

Acronym madness clarification. (5, Informative)

sanityspeech (823537) | more than 9 years ago | (#11493090)

What is the SANS institute?

The SANS (SysAdmin, Audit, Network, Security) Institute provides information security training and certification. For more information, visit www.sans.org

What's an SA account?

The system administrator (SA) account is similar to the DBO except it is of the entire server. It has the same access and permissions as the DBO on all the databases in the server.

DBO account???

The DBO User Account The database owner (DBO) is the administrator for the database. It has full access to all operations and rights.

SQL Snake is an Internet worm, that scans for open Microsoft SQL 7 (MSSQL) and 2000 servers - which run on TCP Port 1433 by default. The worm attempts to log into the System Administrator (SA) account with no password. If successful, the worm downloads and hides some files and grabs system configuration and account names.

Before the MySQL bashers start, it should be noted that this is not a problem with MySQL.

From the article:

This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:

Strong Password: Select a strong password, in particular for the 'root' account.
Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.

Re:Acronym madness clarification. (0)

Anonymous Coward | more than 9 years ago | (#11493156)

Before the MySQL bashers start, it should be noted that this is not a problem with MySQL.

That's never stopped the Microsoft fanboys from complaining before...

Re:Acronym madness clarification. (1)

Deviate_X (578495) | more than 9 years ago | (#11493241)

Before the MySQL bashers start, it should be noted that this is not a problem with MySQL

This is not a bash but... A server should not (by default at least) allow remote access to administrative or root accounts where no password has been specified.

Re:Acronym madness clarification. (0, Flamebait)

caino59 (313096) | more than 9 years ago | (#11493495)

you're not familiar with the default settings, eh?

windows is not an OS for dumb people - it takes a lot of work and effort to secure it...
other OS's are a lot more secure out of the box

unfortunately, it's the morons (glaring generality, yes.) that use windows, and the more informed using the other OS's....

MySQL on Windows (?) (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11493092)

According to some of the text, the bot is specific to MySQL running on Windows, and has infected around 8500 systems.

It should be about done. I mean, isn't that about all of them?

Clarity (0, Redundant)

pete-classic (75983) | more than 9 years ago | (#11493094)

To be clear, this is a Windows MySQL worm.

-Peter

Re:Clarity (3, Insightful)

Anonymous Coward | more than 9 years ago | (#11493160)

That doesn't change the fact that there are flaws in MySQL that need to be fixed.

Re:Clarity (2, Insightful)

Fred_A (10934) | more than 9 years ago | (#11493339)

Flaws such as letting people install it that are clueless enough to put it on Internet connected machines without setting passwords for administrative accounts ?

That'll be a tough one to patch...

Re:Clarity (1)

Jedi Alec (258881) | more than 9 years ago | (#11493552)

is it? if (networking_enabled) { harass_person_installing_until_said_person_sets_a_ bloody_password(); }

Re:Clarity (1)

pete-classic (75983) | more than 9 years ago | (#11493351)

'Fraid the facts are against you on this one, AC. From the fine article:


This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account.


On the other hand, it does belie the theory that windows just gets attacked because it's popular. (Assuming there are more non-windows deployments of MySQL. I think that's a safe assumption.)

-Peter

Re:Clarity (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11493311)

Regardless of your true intent, your posting is appears to be an attempt to sell the idea that there are inherent flaws in windows. But unfortunately, the reality is that the worm didnt take advantage of a windows specific flaw! Basically the worm author CHOSE to target windows .. not Linux.

But yeah of course you'll get modded up by all the default anti microsoft moderators. Any bashing microsoft is praised here no matter how devious .. forget being logical and truthful.

Re:Clarity (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11493415)

STFU, bonch.

Re:Clarity (2, Insightful)

picklepuss (749206) | more than 9 years ago | (#11493500)

Nice try, but I you only took in a minor part of the equation, and so you fail

While it's true, the worm could probably intrude a *nix mySQL server that was open to the internet with a default password of ''... intrusion is only part of the game plan. The payload is the important part

In this case, I doubt that installing the exe on a *nix box is going to do much good. Even if the writer were to create a *nix specific script for the payload, I'm pretty sure it would be given the mysql uid/gid, and probably wouldn't be able to wreak havoc on a *nix-based system.

Re:Clarity (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11493362)

It's a MySQL worm that only targets the windows platform, calling it a "windows" mysql is silly .. if the flaw gets exploited on linux and then it'll be your fault that linux users didnt take precautions to protect their system.

Re:Clarity (0, Flamebait)

pete-classic (75983) | more than 9 years ago | (#11493437)

Dear fuckhole moderators,

This was like the fourth post in the thread. How is it redundant?

With Lots of Love,
Peter "I wish Technocrat Didn't Suck" Hutnick

It says WINDOWS in the TITLE (0, Flamebait)

Anonymous Coward | more than 9 years ago | (#11493516)

nt

slashdot rulez (0, Flamebait)

Anonymous Coward | more than 9 years ago | (#11493098)

... its always first with 3 week old news. The virus was reported on January 5th.

Doesn't seem that vital of a worm (0)

Steepe (114037) | more than 9 years ago | (#11493105)

MySQL does not come with windows, you have to download it and install it, and if you are downloading it and installing it then you obviously have a reson to use it, and are more likely to set an actual password.

Re:The attack on MySQLs without a password is.. (1)

Uptown Joe (819388) | more than 9 years ago | (#11493200)

the Snake... Not the new worm. I remember how much of a pain Slammer was, I'm glad I don't admin SQL servers anymore!

Re:Doesn't seem that vital of a worm (1)

I confirm I'm not a (720413) | more than 9 years ago | (#11493272)

if you are downloading it and installing it then you obviously have a reson to use it, and are more likely to set an actual password.

I'd like to agree with you - I've installed MySQL (plus Apache and mod_php) on Windows boxes before now, for development (production server is a Solaris box, but my boss - for some bizarre reason - won't fork out for a Sparcstation for me ;) However - many developers I know believe that dev machines don't merit the same kind of hardening as production machines. "Hey! We're behind the firewall, we're safe!" Maybe this'll serve as a wake-up call.

Re:Doesn't seem that vital of a worm (1)

david duncan scott (206421) | more than 9 years ago | (#11493427)

Well, on those grounds MSSQL worms aren't an issue either, because believe me, SQLServer does not come with Windows either. Apparently shelling out good money [cdw.com] hasn't stopped people from leaving the SA p/w blank.

Shouldn't be a big deal (5, Informative)

Mad Merlin (837387) | more than 9 years ago | (#11493106)

How often does your database have to talk directly to the outside world? The port should be closed to the outside world most of the time.

A hole in a program that communicates to the database and is accessable from the outside world would be a much more serious flaw I would imagine.

solution (-1, Offtopic)

its_not_a_tumah (802715) | more than 9 years ago | (#11493128)

so we've got tsunamis in asia, droughts in africa, worms in australia.... frank: "here, this here wombat 'ill toyk kehr of um"

slashdot's super post editing strikes again! (0, Interesting)

Anonymous Coward | more than 9 years ago | (#11493132)

What does a vulnerability in mySQL have to do with MSSQL? Or are you blaming Microsoft for a mySQL worm because it wouldn't be /. any other way?

Re:slashdot's super post editing strikes again! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11493249)

Requirements to get a story on /.
1. Must bash MS or any of a number of companies on the "not cool" list
2. If a story does not fit #1 then random pieces of info should be thrown in to make it fit #1
3. If there is any chance that a story could bash *nix, #2 should be used to prevent this.

I don't get it (5, Interesting)

gowen (141411) | more than 9 years ago | (#11493153)

I don't understand the sans report. First it says :
The bot uses the "MySQL UDF Dynamic Library Exploit".
before adding
This bot does not use any vulnerability in mysql.


Come again?

Re:I don't get it (0)

Anonymous Coward | more than 9 years ago | (#11493432)

It's not a vulnerability, it's a feature.

Oh, wait. Wrong software company.

Re:I don't get it (4, Informative)

Qzukk (229616) | more than 9 years ago | (#11493486)

Well, to spread it specifically uses weak default/unset DB admin passwords and MySQL running as a system or admin level task with write access to everything. Once the worm is in your server as the db admin password, it uses the db admin's ability to load a dll into mysql to allow it to perform actions outside of mysql.

See the details on this [securiteam.com] for information about what exactly is happening. There are plenty of DLLs on windows laying around that do all sorts of stuff, once you define a function call in MySQL to use a dll that allows you to execute whatever you want on the system, you win.

Re:I don't get it (1)

Whispers_in_the_dark (560817) | more than 9 years ago | (#11493493)

I think they're referring to the method of entry -- poorly configured mySQL instances (with open or common root passwords). Once in, the Windows level security takes over and the worm can act pretty freely it seems.

Re:I don't get it (1)

Zontar The Mindless (9002) | more than 9 years ago | (#11493539)

This affects MySQL on Windows only, and does not exploit MySQL so much as it exploits Windows users who don't take basic precautions.

Things to do to keep from getting wormed:

1. Set a strong password for the root account.

2. Don't let root log in from an arbitrary host. Don't let root log in from anywhere but 127.0.0.1/localhost if at all possible.

(1 and 2 should be SOP for any MySQL installation as soon as you've verified that mysqld is actually running.)

3. Run MySQL on a port other than 3306.

4. Switch to something besides Windows.

Not for the first time ... (2, Informative)

enoraM (749327) | more than 9 years ago | (#11493155)

Actually we have seen this before with MySQL in the beginning of 2003:

SELECT INTO outfile was buggy up to 3.23.55

I got hit (5, Informative)

LiquidCoooled (634315) | more than 9 years ago | (#11493161)

My test server was compromised at 18:50 yesterday.
When I got back to my machine at 19:20, I cleaned it down and found out what was happening.

All firewall logs etc and have archived the executable and dll files dropped.

One into the mysql data folder (app_result.dll), and the executable spoolcll.exe was dropped into windows.
Only now that I've gone into the archive folder has Norton picked it up and archived it (it had shutdown/ran the QConsole.exe NAV application to ensure Norton didn't find it, or it just wasn't in the definitions yesterday).
Its been detected as a href='http://securityresponse.symantec.com/avcente r/venc/data/w32.spybot.worm.html'>w32.Spybot.worm.

Bandwidth comparison, please ? (4, Funny)

LordPixie (780943) | more than 9 years ago | (#11493162)

What is going to soak up more of the Internet's bandwidth ? A MySQL worm port scanning every IP in existance, or a gigantic mob of Slashdotters flaming Microsoft because it only affects Windows machines ? And will either of them even come close to breaking the current record held by BitTorrent Porn ?

For the stirring conclusion, stay tuned to Netcraft: As the Internet turns...


--LordPixie

Re:Bandwidth comparison, please ? (0)

Anonymous Coward | more than 9 years ago | (#11493434)

You talk of "BitTorrent Porn". Then continue with "For the stirring conclusion". How the hell can you twist that around in to a Netcraft reference?!

Not a worm (1)

RDosage (694318) | more than 9 years ago | (#11493168)

It's a bot. ISC said that it requires someone to initiate the scanning.

Not surprising (2, Interesting)

barryman_5000 (805270) | more than 9 years ago | (#11493169)

I wonder why Microsoft doesn't just decide to build a new OS from scratch that will only run its own software and be very limited but only do one thing good. It doesn't surprise me everytime an exploit appears for programs or OS's nowadays since no one tries to make their stuff secure. Even OpenBSD doesn't do enough. They need to start with more limits and be less user friendly when you are doing something like database software.

Re:Your not from the Marketing dept, (0, Offtopic)

Uptown Joe (819388) | more than 9 years ago | (#11493242)

Are you?

Ok, this is strange (2, Interesting)

digitalgimpus (468277) | more than 9 years ago | (#11493175)

Just a few minutes ago, Sygate Personal Firewall allerted me to several portscans on my system.

I am running mySQL 4.0.x...

I guess it's time to see what's going on.

I do keep all ports closed, all mySQL passwords are secure, no remote access to mySQL. It's just for dev purposes.

Not sure if there is a connection, but I'm going to look into it.

Re:Ok, this is strange (5, Funny)

stanleypane (729903) | more than 9 years ago | (#11493349)

You seem very concerned. Better submit that last Slashdot comment before checking it out.

I want my money back! (3, Funny)

netsavior (627338) | more than 9 years ago | (#11493215)

Man if I had known that this software was vulnerable to worms I would never have bought it.

We know... (-1)

Anonymous Coward | more than 9 years ago | (#11493229)

I think everyone readin SlashDot knows what all that means...:P

MySQL a real DB? (4, Funny)

Atomizer (25193) | more than 9 years ago | (#11493264)

Does this mean MySQL is considered a real DB now?

Re:MySQL a real DB? (0)

Anonymous Coward | more than 9 years ago | (#11493355)

No, that title comes when it has real database features.

Re:MySQL a real DB? (0)

Anonymous Coward | more than 9 years ago | (#11493527)

Such as? Don't confuse "Database" with "Relational Database", and yes, MySQL is an RDBMS, just not the version you're probably running.

Re:MySQL a real DB? (3, Insightful)

KingBahamut (615285) | more than 9 years ago | (#11493566)

Lol....REAL DATABASE features.....thats an odd term. Let us go to the Websters. 1. A collection of data arranged for ease and speed of search and retrieval 2. An organized body of related information 3. One or more large structured sets of persistent data, usually associated with software to update and query the data. A simple database might be a single file containing many records, each of which contains the same set of fields where each field is a certain fixed width. Now then I clearly think that MySQL fits one or more of those definitions...making it a REAL DATABASE.....lol....wake up people.

Re:MySQL a real DB? (1)

KingBahamut (615285) | more than 9 years ago | (#11493395)

Ive always thought it was a REAL database. -- 11:15, restate my assumptions: 1. Mathematics is the language of nature. 2. Everything around us can be represented and understood through numbers. 3. If you graph these numbers, patterns emerge. Therefore: There are patterns everywhere in nature.

Re:MySQL a real DB? (0)

Anonymous Coward | more than 9 years ago | (#11493421)

If vulnerabilities validated programs, I should have charged good money for my "Hello, World!" programs that had a buffer overflow exploit when you enterd your name.

Windows + Internet = Bad Things (2, Insightful)

WoodstockJeff (568111) | more than 9 years ago | (#11493271)

This is yet another reason to not attach a Windows-based computer to internet without a firewall. Of course, having a public-access SQL server (regardless of its software) isn't a particularly good idea, either.

For both of these, there are exceptional requirements that can negate these general rules, but anyone who has these requirements should know better than to not take exceptional measures to protect the server.

Re:Windows + Internet = Bad Things (0)

Anonymous Coward | more than 9 years ago | (#11493388)

Please, stop your trolling. There is no reason this exact worm couldn't be ported to Linux and exploit MySQL in a fine-and-dandy fashion.

Re:Windows + Internet = Bad Things (1)

LiquidCoooled (634315) | more than 9 years ago | (#11493389)

Windows DOES have a firewall, I have everything locked down, and only 2 remote ports exist.
One is for VNC, and the other is for the mysql test server.

Both were protected by strong passwords, and I thought I had done everything possible to prevent these kind of intrusions.

I connect remotely from a dynamic adsl line with varying IPs, so cannot tie the connection to a specific remote IP, the best I could do is lock it to my works' ISP range, and even then there are thousands of possible computers able to exploit it.

I see the rights escalation as a problem with windows, but the initial exploit is not microsofts fault.

Re:Windows + Internet = Bad Things (1)

WoodstockJeff (568111) | more than 9 years ago | (#11493514)

You can still avoid this problem. Even if you have to have remote access, do NOT allow 'root' to log in remotely. Create another user, also password protected, to do root-like things on MySQL.

The way to do this:

use mysql;
grant all privileges on *.* to obscureusername@"%" identified by 'strongpassword' with grant option;
delete from user where host='localhost' and user='';
flush privileges;

Re:Windows + Internet = Bad Things (1)

LiquidCoooled (634315) | more than 9 years ago | (#11493540)

I had *thought* I had removed root@% account.
I had granted remote privs to one single user with a lengthy password.
Obviously my sig is useful today.
*hangs head in shame*

Re:Windows + Internet = Bad Things (1)

3dr (169908) | more than 9 years ago | (#11493407)

Good points. And to just emphasize the underlying security issue, corporate environments are far from being safe havens, too. It's imperative the DB root account has a good password (for sufficient values of good!).

I run several MySQL servers on XP/w2k3server/linux boxes at work. All are closed to non-localhost access.

In fairness (4, Insightful)

wowbagger (69688) | more than 9 years ago | (#11493480)

In fairness, I would generalize your statement to:

Don't connect ANY computer to the Internet, or any other hostile network, without a firewall.

Now, you can argue that, in the case of some operating systems, the firewall built into the OS, when properly configured, is enough.

You can also argue that a firewall should be a firewall, and a firewall ONLY, and that any other services should be provided by another machine BEHIND the firewall.

And depending upon the circumstances, either argument can win.

However, if you think in terms of "First the firewall, THEN the services", you will be miles ahead.

Connecting a Linux box, or a *BSD box, or a Mac, or an AS/400, or .* to a hostile network with any non-trivial set of services running and no firewall, and it is going to have problems.

The problem here is that the people who set up the MySQL servers on these boxes did not insure they were firewalled - this could have happened just as easily to a Linux box with a similarly bad setup.

Re:Windows + Internet = Bad Things (1)

Malc (1751) | more than 9 years ago | (#11493483)

You should be moderated troll. An overly anti-Microsoft zealot at that. This isn't about Windows. This is about MySQL and poor admins (weak passwords and poor firewall configuration).

Don't keep the port open! (5, Informative)

hacker (14635) | more than 9 years ago | (#11493300)

99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries across the network to the database server.

Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306. I know on most systems, its probably the default, but in almost all of the cases, its completely unnecessary.

And also, validate your input !! Don't just assume that whatever is passed on the URI field of a browser, is going to be correct. Check it. Then check it again.

Re:Don't keep the port open! (1)

Pierce (154) | more than 9 years ago | (#11493323)

...and block direct access to your database from the Internet. Better yet, restrict it to only the machines you know need to have that access.

Ahh... but you are forgetting... (1)

cnelzie (451984) | more than 9 years ago | (#11493423)

...that many of these same people swear by MS Software and by way of the design of MSSQL in that is uses RPC even for local requests, will often configure MySQL to act like MSSQL, 'cause that is what they were done taught.

Re:Don't keep the port open! (1)

Malc (1751) | more than 9 years ago | (#11493512)

Good points that all good admins should consider in case they have an issue with their firewall (e.g. screwing reconfiguring open ports). If you don't have a firewall, then why not? If you're a home user on broadband, then why aren't you behind a cheap router?

Re:Don't keep the port open! (4, Interesting)

drinkypoo (153816) | more than 9 years ago | (#11493518)

Turning off networking makes remote administration more difficult. Why not just block the port? Every supported version of NT, plus the two most recent unsupported versions (and probably more) has port filtering. Just block those ports (or, you can default deny) on the external interface.

Some info (5, Informative)

Squeebee (719115) | more than 9 years ago | (#11493328)

Ok folks. This is a bot, and it uses weak root passwords to gain entry to MySQL. From there, it loads a BLOB in a table with a payload DLL, which it then writes to disk and loads as a MySQL UDF. The UDF is called, which creates the bot and the system is compromised.

Damage appears to be low as it is more spyware than anything, and you are only at risk if you A) Have not firewalled the MySQL Port, B) Have a root account that is allowed to login from anywhere, not just localhost, and C) Have a weak root password.

So, the fix is this:

A) Firewall port 3306
B) Remove the root@% account, only allow root@localhost
C) Set a strong password

I have more info at http://www.openwin.org/mike/index.php/archives/200 5/01/batten-the-hatches-mysql-targeting-bot-on-the -loose/

Does mysql on windows have root@%? (1)

lorcha (464930) | more than 9 years ago | (#11493557)

I just looked at my Debian and Gentoo installations and neither of them leave you vulnerable to this type of crap by default.

Who really creates an unpassworded root@% superuser account?

temporary fix (5, Informative)

greechneb (574646) | more than 9 years ago | (#11493340)


Open the Administrative Tools/Services app.
Find the "Event Monitor" service.
Open the Properties for this service.
You cannot pause or stop this service, so set the General/Startup Type to Disabled.
On the Recovery tab, set all 3 failure actions to Take No Actions.

Reboot.

Since the service didn't start, spoolcll.exe is not running.
Delete it (or whatever).

But, do not delete the service, as its existence will prevent new copies of the virus from activating.

MySQL in practice (4, Interesting)

Marcus Erroneous (11660) | more than 9 years ago | (#11493412)

Well, I'm pretty sure I've got that port blocked already, but . . .
I stood up MySQL on a Linux box and on a Win2k box to show that, unlike MSSQL, MySQL ran on more than one platform. One database could be deployed to both platforms with the ability to keep the application running even if one goes down. Instead of having the app be entirely offline, you can bring the other over very quickly. Did this just after the first MSSQL worm to show that there are alternatives and that entire sites don't have to go down because of one bug. Now we're working on deploying some Linux clusters.

mlod u4 (-1)

Anonymous Coward | more than 9 years ago | (#11493541)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?