Worm Hits Windows Machines Running MySQL

UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

Re:Windows

[TedCheshireAcad]

Don't laugh - it happens. MSSQL is 'spensive, and for an all-windows environment that needs a database - MySQL wins the prize.

/took your comment too seriously

Re:Clarity

[Anonymous Coward]

That doesn't change the fact that there are flaws in MySQL that need to be fixed.

Windows + Internet = Bad Things

[WoodstockJeff]

This is yet another reason to not attach a Windows-based computer to internet without a firewall. Of course, having a public-access SQL server (regardless of its software) isn't a particularly good idea, either.

For both of these, there are exceptional requirements that can negate these general rules, but anyone who has these requirements should know better than to not take exceptional measures to protect the server.

Re:Clarity

[Anonymous Coward]

Regardless of your true intent, your posting is appears to be an attempt to sell the idea that there are inherent flaws in windows. But unfortunately, the reality is that the worm didnt take advantage of a windows specific flaw! Basically the worm author CHOSE to target windows .. not Linux.

But yeah of course you'll get modded up by all the default anti microsoft moderators. Any bashing microsoft is praised here no matter how devious .. forget being logical and truthful.

Re:Clarity

[Fred_A]

Flaws such as letting people install it that are clueless enough to put it on Internet connected machines without setting passwords for administrative accounts ?

That'll be a tough one to patch...

Re:Clarity

[Anonymous Coward]

It's a MySQL worm that only targets the windows platform, calling it a "windows" mysql is silly .. if the flaw gets exploited on linux and then it'll be your fault that linux users didnt take precautions to protect their system.

In fairness

[wowbagger]

In fairness, I would generalize your statement to:

Don't connect ANY computer to the Internet, or any other hostile network, without a firewall.

Now, you can argue that, in the case of some operating systems, the firewall built into the OS, when properly configured, is enough.

You can also argue that a firewall should be a firewall, and a firewall ONLY, and that any other services should be provided by another machine BEHIND the firewall.

And depending upon the circumstances, either argument can win.

However, if you think in terms of "First the firewall, THEN the services", you will be miles ahead.

Connecting a Linux box, or a *BSD box, or a Mac, or an AS/400, or .* to a hostile network with any non-trivial set of services running and no firewall, and it is going to have problems.

The problem here is that the people who set up the MySQL servers on these boxes did not insure they were firewalled - this could have happened just as easily to a Linux box with a similarly bad setup.

Re:Clarity

[picklepuss]

Nice try, but I you only took in a minor part of the equation, and so you fail

While it's true, the worm could probably intrude a *nix mySQL server that was open to the internet with a default password of ''... intrusion is only part of the game plan. The payload is the important part

In this case, I doubt that installing the exe on a *nix box is going to do much good. Even if the writer were to create a *nix specific script for the payload, I'm pretty sure it would be given the mysql uid/gid, and probably wouldn't be able to wreak havoc on a *nix-based system.

Re:MySQL a real DB?

[KingBahamut]

Lol....REAL DATABASE features.....thats an odd term. Let us go to the Websters. 1. A collection of data arranged for ease and speed of search and retrieval 2. An organized body of related information 3. One or more large structured sets of persistent data, usually associated with software to update and query the data. A simple database might be a single file containing many records, each of which contains the same set of fields where each field is a certain fixed width. Now then I clearly think that MySQL fits one or more of those definitions...making it a REAL DATABASE.....lol....wake up people.

In other news

[Anonymous Coward]

There have been reports of large amounts of thefts occuring from persons leaving stacks of cash outside their front doors. Apparently, perpetrators would use a vehicle to drive up to individual's houses and take the money.

Sad to say, but this is where ease of use and point-and-click stuff brings you.

To MySQL's credit, IIRC, latest MySQL for Windows installers are fairly insistant on warning you about enabling network access and setting a root password.

Re:Doesn't seem that vital of a worm

[Zaiff Urgulbunger]

However - many developers I know believe that dev machines don't merit the same kind of hardening as production machines. "Hey! We're behind the firewall, we're safe!"
I'm not justifying what they're doing, but if they're behind a firewall then shouldn't they be safe from this worm? Surely the people getting infected are the people with MySQL ports open directly on the int0rweb *and* no hardening.

Maybe this'll serve as a wake-up call.
True!

wooooo the scary worm is after me

[DanGroom]

So, having RTFA I'm not even slightly concerned. I have mysql running on windows, but since the exploit this thing uses requires a)straight up access vis the internet (eg, no firewall) and b) a brute force atack on the root password, I feel pretty safe. As should anyone else who's behind a firewall and who's root mysql password isn't '12345'....

Re:slashdot rulez

[Anonymous Coward]

So why didn't you propose it as an article then?

Re:slashdot rulez

[Anonymous Coward]

I'm not the OP, but maybe he *did* submit something and the editors didn't post it then. They do have a reputation of rejecting a story, then accepting the same story three weeks later, after all...

MySQL on Win32, market share

[HvitRavn]

No need to flame people who use MySQL on win32. This has been briefly mentioned already, but here's a slightly better explanation. One of MySQL's major advantages over other free medium-to-lightweight (such as pgsql) is that MySQL has been available for the win32 platform for a very long period of time (if you are about to mention firebird, take a look here [sourceforge.net]). This enabled developers to install their webserver of choice (apache) with some cool script mod (php) alongside a database well suited for small to medium web projects (mysql). So if you are a supporter of (F)OSS, then you better not flame people who use MySQL on win32, because that is one of the reasons why MySQL is so popular today.

Re:That's why...

[Dysan2k]

You can chalk this one up to careless admins - something I'm sure PostgreSQL is not immune to either.

Nothing is. Postgres folk can cry all they want, and so can MySQL, mSQL, Oracle, Informix, Sybase, Firebird, etc. It makes no difference. If you have no password, you can get into it.

Amazes me sometimes the rabidness of the db crowd. It's a database, folks. It stores data. It's not an AI.

Re:I don't get it

[DrSkwid]

mysql can load arbitrary dlls?

lol that's one of the dumbest features I ever heard!!

Re:MySQL a real DB?

[oconnorcjo]

A simple database might be a single file containing many records, each of which contains the same set of fields where each field is a certain fixed width. Now then I clearly think that MySQL fits one or more of those definitions...making it a REAL DATABASE.....lol....wake up people.

What I think most people who talk about REAL DB'S are refering to is the ACID Test [about.com]. I have not checked recently but for the longest time MySQL failed those requirements.

Re:That's why...

[jadavis]

Although I am a postgresql advocate, I want to caution users that win32 is very different from UNIX. PostgreSQL doesn't have a long track record on win32, merely a lengthy beta test. So, it's a great database, but stop short of assuming that PostgreSQL's legendary reliability was translated perfectly to win32. After a few more months of real-world testing, you can be much more sure.

Re:That's why...

[soulhuntre]

You can chalk this one up to careless admins

Absolutely. And that is where the blame belongs - with a small nod that MySQL should not have remote admin on by default.

Of course, if this had been a MS product then it would be all MS's fault and the admins would not be to blame... :)

Re:That's why...

[jadavis]

It would be nice if application developers made their apps database agnostic, but it rarely seems to happen.

That might be fine if your application uses only the features supported by all databases.

If you want more, you end up with a huge mess of bug-prone client side database operations. To ensure consistency of the data you have to do a HUGE amount of client side work because some databases don't support check constraints or constraint triggers. And all the other features it's the same deal: a huge amount of client-side code to accomplish something already available in most databases.

So why would the application programmer spend all of their time maintaining all those database layers?

It works for some applications, but for others it can be an exercise in futility.

Re:I don't get it

[DrSkwid]

that's right, dumbest

even when you redundantly explain it, it doesn't get any cleverer

arbitrary dlls == dumb

Re:I don't get it

[DrSkwid]

The key word is "arbitrary". The ability to load winsock.dll into mysql is dumb

You *could* compile against a set of headers to mark the dll as database server safe

You *could* compile against a set of headers to mark the dll as owned by the owner of a particular database

You could cryptographically sign the dlls and only accept signed dlls

"ooh but it's just sooo flexible"

just like activeX email

Re:MyWorm

[catenos]

We've got the source code. Where's the hole?

The worm doesn't use a hole within MySQL, but only bad admin passwords. In short, it's a problem with people not a technical one.

But there are mitigating factors:
- MySQL allows loading of libraries (UDF) for users with the right privileges (of which root usually is one, of course), which is a powerful feature and that power can be abused.
- The worm requires that MySQL is set up for networking, and that the port is freely reachable from the internet.

And, more important from the OSS perspective, where's the patch?

No patch needed. The mitigating factors are configurable (you can disable networking in the config, and restrict accounts to certain hosts; you can compile MySQL without UDF support; and of course, you should have installed a firewall that restricts access to the port, if networking is really required).

Btw, better distributions already come configured this way (if you want UDF support and whatever, you use the MySQL-Max binary).

And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?

Are you trolling? No admin with any clue would use any 3rd party patch (especially when work-arounds are available), but wait for the update from his vendor.

Changing your vendor after such an attack may be a good thing to consider, after security holes have been mishandled several times. But considering 3rd party stuff for an urgent hole only opens you to the equivalent of phishing attacks (nonwithstanding all the other problems such an idea has, like that you can't know the quality of the patch).