Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Worms Security The Internet

Worm Hits Windows Machines Running MySQL 367

UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."
This discussion has been archived. No new comments can be posted.

Worm Hits Windows Machines Running MySQL

Comments Filter:
  • by sanityspeech ( 823537 ) on Thursday January 27, 2005 @11:29AM (#11493090) Journal
    What is the SANS institute?

    The SANS (SysAdmin, Audit, Network, Security) Institute provides information security training and certification. For more information, visit www.sans.org

    What's an SA account?

    The system administrator (SA) account is similar to the DBO except it is of the entire server. It has the same access and permissions as the DBO on all the databases in the server.

    DBO account???

    The DBO User Account The database owner (DBO) is the administrator for the database. It has full access to all operations and rights.

    SQL Snake is an Internet worm, that scans for open Microsoft SQL 7 (MSSQL) and 2000 servers - which run on TCP Port 1433 by default. The worm attempts to log into the System Administrator (SA) account with no password. If successful, the worm downloads and hides some files and grabs system configuration and account names.

    Before the MySQL bashers start, it should be noted that this is not a problem with MySQL.

    From the article:

    This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:

    Strong Password: Select a strong password, in particular for the 'root' account.
    Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
    Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.

  • by Mad Merlin ( 837387 ) on Thursday January 27, 2005 @11:30AM (#11493106) Homepage
    How often does your database have to talk directly to the outside world? The port should be closed to the outside world most of the time.

    A hole in a program that communicates to the database and is accessable from the outside world would be a much more serious flaw I would imagine.

  • I don't get it (Score:5, Interesting)

    by gowen ( 141411 ) <gwowen@gmail.com> on Thursday January 27, 2005 @11:33AM (#11493153) Homepage Journal
    I don't understand the sans report. First it says :
    The bot uses the "MySQL UDF Dynamic Library Exploit".
    before adding
    This bot does not use any vulnerability in mysql.


    Come again?
    • Re:I don't get it (Score:5, Informative)

      by Qzukk ( 229616 ) on Thursday January 27, 2005 @11:57AM (#11493486) Journal
      Well, to spread it specifically uses weak default/unset DB admin passwords and MySQL running as a system or admin level task with write access to everything. Once the worm is in your server as the db admin password, it uses the db admin's ability to load a dll into mysql to allow it to perform actions outside of mysql.

      See the details on this [securiteam.com] for information about what exactly is happening. There are plenty of DLLs on windows laying around that do all sorts of stuff, once you define a function call in MySQL to use a dll that allows you to execute whatever you want on the system, you win.
      • Well, to spread it specifically uses weak default/unset DB admin passwords and MySQL running as a system or admin level task with write access to everything.

        The default MySQL admin account only allows connections from localhost. So it sounds like it only affects people who purposely created an admin account with a host of '%' and no password.
      • Re:I don't get it (Score:3, Insightful)

        by DrSkwid ( 118965 )

        mysql can load arbitrary dlls?

        lol that's one of the dumbest features I ever heard!!

    • I think they're referring to the method of entry -- poorly configured mySQL instances (with open or common root passwords). Once in, the Windows level security takes over and the worm can act pretty freely it seems.
    • This affects MySQL on Windows only, and does not exploit MySQL so much as it exploits Windows users who don't take basic precautions.

      Things to do to keep from getting wormed:

      1. Set a strong password for the root account.

      2. Don't let root log in from an arbitrary host. Don't let root log in from anywhere but 127.0.0.1/localhost if at all possible.

      (1 and 2 should be SOP for any MySQL installation as soon as you've verified that mysqld is actually running.)

      3. Run MySQL on a port other than 3306.

      4. Switch
    • I don't understand the sans report. First it says :

      The bot uses the "MySQL UDF Dynamic Library Exploit".


      UDF stands for "U Dumb Fscker" refering to those admins that don't bother setting up an admin password on their Mysql servers.
  • Actually we have seen this before with MySQL in the beginning of 2003:

    SELECT INTO outfile was buggy up to 3.23.55
  • I got hit (Score:5, Informative)

    by LiquidCoooled ( 634315 ) on Thursday January 27, 2005 @11:33AM (#11493161) Homepage Journal
    My test server was compromised at 18:50 yesterday.
    When I got back to my machine at 19:20, I cleaned it down and found out what was happening.

    All firewall logs etc and have archived the executable and dll files dropped.

    One into the mysql data folder (app_result.dll), and the executable spoolcll.exe was dropped into windows.
    Only now that I've gone into the archive folder has Norton picked it up and archived it (it had shutdown/ran the QConsole.exe NAV application to ensure Norton didn't find it, or it just wasn't in the definitions yesterday).
    Its been detected as a href='http://securityresponse.symantec.com/avcente r/venc/data/w32.spybot.worm.html'>w32.Spybot.worm.

    • Okay I must ask. If this attack comes across a port. Why in the world did you have that port open to the outside? Not trying to flame you, but a little common sense.
  • by LordPixie ( 780943 ) * on Thursday January 27, 2005 @11:33AM (#11493162) Journal
    What is going to soak up more of the Internet's bandwidth ? A MySQL worm port scanning every IP in existance, or a gigantic mob of Slashdotters flaming Microsoft because it only affects Windows machines ? And will either of them even come close to breaking the current record held by BitTorrent Porn ?

    For the stirring conclusion, stay tuned to Netcraft: As the Internet turns...


    --LordPixie
  • Not surprising (Score:2, Interesting)

    I wonder why Microsoft doesn't just decide to build a new OS from scratch that will only run its own software and be very limited but only do one thing good. It doesn't surprise me everytime an exploit appears for programs or OS's nowadays since no one tries to make their stuff secure. Even OpenBSD doesn't do enough. They need to start with more limits and be less user friendly when you are doing something like database software.
  • Just a few minutes ago, Sygate Personal Firewall allerted me to several portscans on my system.

    I am running mySQL 4.0.x...

    I guess it's time to see what's going on.

    I do keep all ports closed, all mySQL passwords are secure, no remote access to mySQL. It's just for dev purposes.

    Not sure if there is a connection, but I'm going to look into it.
  • by netsavior ( 627338 ) on Thursday January 27, 2005 @11:37AM (#11493215)
    Man if I had known that this software was vulnerable to worms I would never have bought it.
  • by Atomizer ( 25193 ) on Thursday January 27, 2005 @11:41AM (#11493264)
    Does this mean MySQL is considered a real DB now?
  • by WoodstockJeff ( 568111 ) on Thursday January 27, 2005 @11:41AM (#11493271) Homepage
    This is yet another reason to not attach a Windows-based computer to internet without a firewall. Of course, having a public-access SQL server (regardless of its software) isn't a particularly good idea, either.

    For both of these, there are exceptional requirements that can negate these general rules, but anyone who has these requirements should know better than to not take exceptional measures to protect the server.

    • Good points. And to just emphasize the underlying security issue, corporate environments are far from being safe havens, too. It's imperative the DB root account has a good password (for sufficient values of good!).

      I run several MySQL servers on XP/w2k3server/linux boxes at work. All are closed to non-localhost access.
    • In fairness (Score:5, Insightful)

      by wowbagger ( 69688 ) on Thursday January 27, 2005 @11:56AM (#11493480) Homepage Journal
      In fairness, I would generalize your statement to:

      Don't connect ANY computer to the Internet, or any other hostile network, without a firewall.

      Now, you can argue that, in the case of some operating systems, the firewall built into the OS, when properly configured, is enough.

      You can also argue that a firewall should be a firewall, and a firewall ONLY, and that any other services should be provided by another machine BEHIND the firewall.

      And depending upon the circumstances, either argument can win.

      However, if you think in terms of "First the firewall, THEN the services", you will be miles ahead.

      Connecting a Linux box, or a *BSD box, or a Mac, or an AS/400, or .* to a hostile network with any non-trivial set of services running and no firewall, and it is going to have problems.

      The problem here is that the people who set up the MySQL servers on these boxes did not insure they were firewalled - this could have happened just as easily to a Linux box with a similarly bad setup.
    • You should be moderated troll. An overly anti-Microsoft zealot at that. This isn't about Windows. This is about MySQL and poor admins (weak passwords and poor firewall configuration).
      • Gee, according to the article, it's about MySQL, Poor Administration, and Windows. Remove any of the ingredients, and it's not a problem!

        That said, Windows, by default, has a lot of things going on that the user is unaware of. Does the average Windows user know that LSASS is running? Or the Messenger service? And why does Windows default to loading MSMessenger, and fight most attempts to disable it?

        And the firewall is considered laughable by many sources I've read, including Windows zealot sites. It's ver

  • by hacker ( 14635 ) <hacker@gnu-designs.com> on Thursday January 27, 2005 @11:43AM (#11493300)

    99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries across the network to the database server.

    Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306. I know on most systems, its probably the default, but in almost all of the cases, its completely unnecessary.

    And also, validate your input !! Don't just assume that whatever is passed on the URI field of a browser, is going to be correct. Check it. Then check it again.

    • Good points that all good admins should consider in case they have an issue with their firewall (e.g. screwing reconfiguring open ports). If you don't have a firewall, then why not? If you're a home user on broadband, then why aren't you behind a cheap router?
    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday January 27, 2005 @12:00PM (#11493518) Homepage Journal
      Turning off networking makes remote administration more difficult. Why not just block the port? Every supported version of NT, plus the two most recent unsupported versions (and probably more) has port filtering. Just block those ports (or, you can default deny) on the external interface.
      • "Turning off networking makes remote administration more difficult."

        What 'remote administration' tools are you referring to? No open network port is required for remote administration.

        • By definition you need SOME kind of network port open for remote administration. Otherwise you can only connect locally. Or through serial I guess, but since the overwhelming majority of Windows software is manageable only via GUI, you really need Terminal svcs or VNC. However, I was talking specifically about being able to use a SQL client on another box to muck with the db. You could put mysqladmin on the box, but then you'd need a web server and php, and a http port open.
          • "By definition you need SOME kind of network port open for remote administration. Otherwise you can only connect locally."

            Almost right.

            Since you should, as a good administrator, limit the number of ports open for potential exploits. This means using vnc-over-ssh (locked to specific incoming hosts, of course) to admin the box, instead of vnc (on 5900) and then 3306 for MySQL (which isn't secure anyway). This way, you keep one port open (22) instead of three ports (22, 3306, 5900).

            But you can, and sho

      • if you are going to remote administer a server, you should first SSH into the server. Then as a "localhost" user, you can access the database. You wouldn't remote administer via the port. Or, at least, you should.
  • Some info (Score:5, Informative)

    by Squeebee ( 719115 ) <squeebee@gmail. c o m> on Thursday January 27, 2005 @11:46AM (#11493328)
    Ok folks. This is a bot, and it uses weak root passwords to gain entry to MySQL. From there, it loads a BLOB in a table with a payload DLL, which it then writes to disk and loads as a MySQL UDF. The UDF is called, which creates the bot and the system is compromised.

    Damage appears to be low as it is more spyware than anything, and you are only at risk if you A) Have not firewalled the MySQL Port, B) Have a root account that is allowed to login from anywhere, not just localhost, and C) Have a weak root password.

    So, the fix is this:

    A) Firewall port 3306
    B) Remove the root@% account, only allow root@localhost
    C) Set a strong password

    I have more info at http://www.openwin.org/mike/index.php/archives/200 5/01/batten-the-hatches-mysql-targeting-bot-on-the -loose/
  • temporary fix (Score:5, Informative)

    by greechneb ( 574646 ) on Thursday January 27, 2005 @11:47AM (#11493340) Journal

    Open the Administrative Tools/Services app.
    Find the "Event Monitor" service.
    Open the Properties for this service.
    You cannot pause or stop this service, so set the General/Startup Type to Disabled.
    On the Recovery tab, set all 3 failure actions to Take No Actions.

    Reboot.

    Since the service didn't start, spoolcll.exe is not running.
    Delete it (or whatever).

    But, do not delete the service, as its existence will prevent new copies of the virus from activating.
  • MySQL in practice (Score:5, Interesting)

    by Marcus Erroneous ( 11660 ) on Thursday January 27, 2005 @11:51AM (#11493412) Homepage
    Well, I'm pretty sure I've got that port blocked already, but . . .
    I stood up MySQL on a Linux box and on a Win2k box to show that, unlike MSSQL, MySQL ran on more than one platform. One database could be deployed to both platforms with the ability to keep the application running even if one goes down. Instead of having the app be entirely offline, you can bring the other over very quickly. Did this just after the first MSSQL worm to show that there are alternatives and that entire sites don't have to go down because of one bug. Now we're working on deploying some Linux clusters.
  • by Abcd1234 ( 188840 ) on Thursday January 27, 2005 @12:17PM (#11493715) Homepage
    Good lord, are you kidding? I would assume any reasonable organization that was accessing their database over a network would keep the webserver on a DMZ and the database server behind a firewall that's tightened up and only allows access to the database from the DMZ. Isn't this, uh, kinda obvious? And, of course, if the database and the webserver are on the same box, *why* is remote access enabled at all?
  • MyWorm (Score:3, Interesting)

    by Doc Ruby ( 173196 ) on Thursday January 27, 2005 @12:21PM (#11493773) Homepage Journal
    We've got the source code. Where's the hole? And, more important from the OSS perspective, where's the patch? And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?
    • Re:MyWorm (Score:3, Insightful)

      by catenos ( 36989 )
      We've got the source code. Where's the hole?

      The worm doesn't use a hole within MySQL, but only bad admin passwords. In short, it's a problem with people not a technical one.

      But there are mitigating factors:
      - MySQL allows loading of libraries (UDF) for users with the right privileges (of which root usually is one, of course), which is a powerful feature and that power can be abused.
      - The worm requires that MySQL is set up for networking, and that the port is freely reachable from the internet.

      And, more
  • So, having RTFA I'm not even slightly concerned. I have mysql running on windows, but since the exploit this thing uses requires a)straight up access vis the internet (eg, no firewall) and b) a brute force atack on the root password, I feel pretty safe. As should anyone else who's behind a firewall and who's root mysql password isn't '12345'....
  • serious? (Score:5, Funny)

    by dtfinch ( 661405 ) * on Thursday January 27, 2005 @12:40PM (#11494001) Journal
    "the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password."

    This makes MySQL look about as vulnerable as ssh.
  • Good (Score:2, Funny)

    by Pan T. Hose ( 707794 )
    Does it mean that MySQL is now officially "ready for the desktop"? Hopefully, the Linux version will be next.
  • by HvitRavn ( 813950 ) on Thursday January 27, 2005 @01:29PM (#11494608)
    No need to flame people who use MySQL on win32. This has been briefly mentioned already, but here's a slightly better explanation. One of MySQL's major advantages over other free medium-to-lightweight (such as pgsql) is that MySQL has been available for the win32 platform for a very long period of time (if you are about to mention firebird, take a look here [sourceforge.net]). This enabled developers to install their webserver of choice (apache) with some cool script mod (php) alongside a database well suited for small to medium web projects (mysql). So if you are a supporter of (F)OSS, then you better not flame people who use MySQL on win32, because that is one of the reasons why MySQL is so popular today.
  • by MyHair ( 589485 ) on Thursday January 27, 2005 @03:18PM (#11495837) Journal
    Jan 27 09:57:27 (fakehostname) mysqld[338]: refused connect from 217.224.(#).(#)

    Jan 27 09:57:47 (fakehostname) last message repeated 21 times
    (A few more like this were in the log.)

    D'oh! Didn't realize I had it open. At least I'm on Linux and don't have a blatantly obvious root password. PostgreSQL installed with IP off by default; I guess MySQL didn't. I don't even rememeber why MySQL's installed...some php toy I guess. PostreSQL and MSSQL ports are already blocked even though I don't have MSSQL.

    Time to update the firewall (dedicated and local), MySQL config and revisit password strength. Maybe I should finally go to a deny by default policy....

Some people only open up to tell you that they're closed.

Working...