Worm Hits Windows Machines Running MySQL 367
UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a
rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."
Re:Windows (Score:5, Insightful)
Re:Clarity (Score:3, Insightful)
Windows + Internet = Bad Things (Score:3, Insightful)
For both of these, there are exceptional requirements that can negate these general rules, but anyone who has these requirements should know better than to not take exceptional measures to protect the server.
Re:Clarity (Score:1, Insightful)
But yeah of course you'll get modded up by all the default anti microsoft moderators. Any bashing microsoft is praised here no matter how devious
Re:Clarity (Score:3, Insightful)
That'll be a tough one to patch...
Re:Clarity (Score:1, Insightful)
In fairness (Score:5, Insightful)
Don't connect ANY computer to the Internet, or any other hostile network, without a firewall.
Now, you can argue that, in the case of some operating systems, the firewall built into the OS, when properly configured, is enough.
You can also argue that a firewall should be a firewall, and a firewall ONLY, and that any other services should be provided by another machine BEHIND the firewall.
And depending upon the circumstances, either argument can win.
However, if you think in terms of "First the firewall, THEN the services", you will be miles ahead.
Connecting a Linux box, or a *BSD box, or a Mac, or an AS/400, or
The problem here is that the people who set up the MySQL servers on these boxes did not insure they were firewalled - this could have happened just as easily to a Linux box with a similarly bad setup.
Re:Clarity (Score:2, Insightful)
Nice try, but I you only took in a minor part of the equation, and so you fail
While it's true, the worm could probably intrude a *nix mySQL server that was open to the internet with a default password of ''... intrusion is only part of the game plan. The payload is the important part
In this case, I doubt that installing the exe on a *nix box is going to do much good. Even if the writer were to create a *nix specific script for the payload, I'm pretty sure it would be given the mysql uid/gid, and probably wouldn't be able to wreak havoc on a *nix-based system.
Re:MySQL a real DB? (Score:2, Insightful)
In other news (Score:1, Insightful)
Sad to say, but this is where ease of use and point-and-click stuff brings you.
To MySQL's credit, IIRC, latest MySQL for Windows installers are fairly insistant on warning you about enabling network access and setting a root password.
Re:Doesn't seem that vital of a worm (Score:2, Insightful)
I'm not justifying what they're doing, but if they're behind a firewall then shouldn't they be safe from this worm? Surely the people getting infected are the people with MySQL ports open directly on the int0rweb *and* no hardening.
Maybe this'll serve as a wake-up call.
True!
wooooo the scary worm is after me (Score:2, Insightful)
Re:slashdot rulez (Score:1, Insightful)
Re:slashdot rulez (Score:1, Insightful)
MySQL on Win32, market share (Score:4, Insightful)
Re:That's why... (Score:5, Insightful)
Nothing is. Postgres folk can cry all they want, and so can MySQL, mSQL, Oracle, Informix, Sybase, Firebird, etc. It makes no difference. If you have no password, you can get into it.
Amazes me sometimes the rabidness of the db crowd. It's a database, folks. It stores data. It's not an AI.
Re:I don't get it (Score:3, Insightful)
mysql can load arbitrary dlls?
lol that's one of the dumbest features I ever heard!!
Re:MySQL a real DB? (Score:3, Insightful)
What I think most people who talk about REAL DB'S are refering to is the ACID Test [about.com]. I have not checked recently but for the longest time MySQL failed those requirements.
Re:That's why... (Score:3, Insightful)
Re:That's why... (Score:2, Insightful)
Absolutely. And that is where the blame belongs - with a small nod that MySQL should not have remote admin on by default.
Of course, if this had been a MS product then it would be all MS's fault and the admins would not be to blame...
Re:That's why... (Score:3, Insightful)
That might be fine if your application uses only the features supported by all databases.
If you want more, you end up with a huge mess of bug-prone client side database operations. To ensure consistency of the data you have to do a HUGE amount of client side work because some databases don't support check constraints or constraint triggers. And all the other features it's the same deal: a huge amount of client-side code to accomplish something already available in most databases.
So why would the application programmer spend all of their time maintaining all those database layers?
It works for some applications, but for others it can be an exercise in futility.
Re:I don't get it (Score:3, Insightful)
even when you redundantly explain it, it doesn't get any cleverer
arbitrary dlls == dumb
Re:I don't get it (Score:3, Insightful)
The key word is "arbitrary". The ability to load winsock.dll into mysql is dumb
You *could* compile against a set of headers to mark the dll as database server safe
You *could* compile against a set of headers to mark the dll as owned by the owner of a particular database
You could cryptographically sign the dlls and only accept signed dlls
"ooh but it's just sooo flexible"
just like activeX email
Re:MyWorm (Score:3, Insightful)
The worm doesn't use a hole within MySQL, but only bad admin passwords. In short, it's a problem with people not a technical one.
But there are mitigating factors:
- MySQL allows loading of libraries (UDF) for users with the right privileges (of which root usually is one, of course), which is a powerful feature and that power can be abused.
- The worm requires that MySQL is set up for networking, and that the port is freely reachable from the internet.
And, more important from the OSS perspective, where's the patch?
No patch needed. The mitigating factors are configurable (you can disable networking in the config, and restrict accounts to certain hosts; you can compile MySQL without UDF support; and of course, you should have installed a firewall that restricts access to the port, if networking is really required).
Btw, better distributions already come configured this way (if you want UDF support and whatever, you use the MySQL-Max binary).
And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?
Are you trolling? No admin with any clue would use any 3rd party patch (especially when work-arounds are available), but wait for the update from his vendor.
Changing your vendor after such an attack may be a good thing to consider, after security holes have been mishandled several times. But considering 3rd party stuff for an urgent hole only opens you to the equivalent of phishing attacks (nonwithstanding all the other problems such an idea has, like that you can't know the quality of the patch).