Worm Hits Windows Machines Running MySQL

UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

Acronym madness clarification.

[sanityspeech]

What is the SANS institute?

The SANS (SysAdmin, Audit, Network, Security) Institute provides information security training and certification. For more information, visit www.sans.org

What's an SA account?

The system administrator (SA) account is similar to the DBO except it is of the entire server. It has the same access and permissions as the DBO on all the databases in the server.

DBO account???

The DBO User Account The database owner (DBO) is the administrator for the database. It has full access to all operations and rights.

SQL Snake is an Internet worm, that scans for open Microsoft SQL 7 (MSSQL) and 2000 servers - which run on TCP Port 1433 by default. The worm attempts to log into the System Administrator (SA) account with no password. If successful, the worm downloads and hides some files and grabs system configuration and account names.

Before the MySQL bashers start, it should be noted that this is not a problem with MySQL.

From the article:

This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:

Strong Password: Select a strong password, in particular for the 'root' account.
Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.

Re:Acronym madness clarification.

[Deviate_X]

Before the MySQL bashers start, it should be noted that this is not a problem with MySQL

This is not a bash but... A server should not (by default at least) allow remote access to administrative or root accounts where no password has been specified.

Re:Acronym madness clarification.

[Naikrovek]

It doesn't. You have to configure it to allow non-localhost connections.

Re:Acronym madness clarification.

[DrSkwid]

almost there, try this :

A server should not have root accounts.

there, that's more like it

Re:Acronym madness clarification.

[Deviate_X]

Clearly you have no idea that this flaw has nothing to do with Windows Security. That is another debate.

This is a flaw in Windows version of MySQL. Your comment is entirely beside the point.

Don't do the editors job for him!

[fm6]

It makes him lazy!

Shouldn't be a big deal

[Mad Merlin]

How often does your database have to talk directly to the outside world? The port should be closed to the outside world most of the time.

A hole in a program that communicates to the database and is accessable from the outside world would be a much more serious flaw I would imagine.

Re:Shouldn't be a big deal

[EvilAlien]

Right... and many worms shouldn't be a big deal (eg Slammer) because admins should be patching diligently. Meanwhile, in the real world, humans are lazy and irresponsible.

I don't get it

[gowen]

I don't understand the sans report. First it says :

The bot uses the "MySQL UDF Dynamic Library Exploit".

before adding

This bot does not use any vulnerability in mysql.

Come again?

Re:I don't get it

[Qzukk]

Well, to spread it specifically uses weak default/unset DB admin passwords and MySQL running as a system or admin level task with write access to everything. Once the worm is in your server as the db admin password, it uses the db admin's ability to load a dll into mysql to allow it to perform actions outside of mysql.

See the details on this [securiteam.com] for information about what exactly is happening. There are plenty of DLLs on windows laying around that do all sorts of stuff, once you define a function call in MySQL to use a dll that allows you to execute whatever you want on the system, you win.

Re:I don't get it

[prockcore]

Well, to spread it specifically uses weak default/unset DB admin passwords and MySQL running as a system or admin level task with write access to everything.

The default MySQL admin account only allows connections from localhost. So it sounds like it only affects people who purposely created an admin account with a host of '%' and no password.

Re:I don't get it

[DrSkwid]

mysql can load arbitrary dlls?

lol that's one of the dumbest features I ever heard!!

Re:I don't get it

[DrSkwid]

that's right, dumbest

even when you redundantly explain it, it doesn't get any cleverer

arbitrary dlls == dumb

Re:I don't get it

[DrSkwid]

The key word is "arbitrary". The ability to load winsock.dll into mysql is dumb

You *could* compile against a set of headers to mark the dll as database server safe

You *could* compile against a set of headers to mark the dll as owned by the owner of a particular database

You could cryptographically sign the dlls and only accept signed dlls

"ooh but it's just sooo flexible"

just like activeX email

Re:I don't get it

[Whispers_in_the_dark]

I think they're referring to the method of entry -- poorly configured mySQL instances (with open or common root passwords). Once in, the Windows level security takes over and the worm can act pretty freely it seems.

Re:I don't get it

[Zontar The Mindless]

This affects MySQL on Windows only, and does not exploit MySQL so much as it exploits Windows users who don't take basic precautions.

Things to do to keep from getting wormed:

1. Set a strong password for the root account.

2. Don't let root log in from an arbitrary host. Don't let root log in from anywhere but 127.0.0.1/localhost if at all possible.

(1 and 2 should be SOP for any MySQL installation as soon as you've verified that mysqld is actually running.)

3. Run MySQL on a port other than 3306.

4. Switch

Re:I don't get it

[secolactico]

I don't understand the sans report. First it says :

The bot uses the "MySQL UDF Dynamic Library Exploit".

UDF stands for "U Dumb Fscker" refering to those admins that don't bother setting up an admin password on their Mysql servers.

Not for the first time ...

[enoraM]

Actually we have seen this before with MySQL in the beginning of 2003:

SELECT INTO outfile was buggy up to 3.23.55

I got hit

[LiquidCoooled]

My test server was compromised at 18:50 yesterday.
When I got back to my machine at 19:20, I cleaned it down and found out what was happening.

All firewall logs etc and have archived the executable and dll files dropped.

One into the mysql data folder (app_result.dll), and the executable spoolcll.exe was dropped into windows.
Only now that I've gone into the archive folder has Norton picked it up and archived it (it had shutdown/ran the QConsole.exe NAV application to ensure Norton didn't find it, or it just wasn't in the definitions yesterday).
Its been detected as a href='http://securityresponse.symantec.com/avcente r/venc/data/w32.spybot.worm.html'>w32.Spybot.worm.

Re:I got hit

[jeffy210]

Okay I must ask. If this attack comes across a port. Why in the world did you have that port open to the outside? Not trying to flame you, but a little common sense.

Bandwidth comparison, please ?

[LordPixie]

What is going to soak up more of the Internet's bandwidth ? A MySQL worm port scanning every IP in existance, or a gigantic mob of Slashdotters flaming Microsoft because it only affects Windows machines ? And will either of them even come close to breaking the current record held by BitTorrent Porn ?

For the stirring conclusion, stay tuned to Netcraft: As the Internet turns...


--LordPixie

Not surprising

[barryman_5000]

I wonder why Microsoft doesn't just decide to build a new OS from scratch that will only run its own software and be very limited but only do one thing good. It doesn't surprise me everytime an exploit appears for programs or OS's nowadays since no one tries to make their stuff secure. Even OpenBSD doesn't do enough. They need to start with more limits and be less user friendly when you are doing something like database software.

Re:Not surprising

[ultranova]

I wonder why Microsoft doesn't just decide to build a new OS from scratch that will only run its own software

Isn't this the point of Palladium ?

Ok, this is strange

[digitalgimpus]

Just a few minutes ago, Sygate Personal Firewall allerted me to several portscans on my system.

I am running mySQL 4.0.x...

I guess it's time to see what's going on.

I do keep all ports closed, all mySQL passwords are secure, no remote access to mySQL. It's just for dev purposes.

Not sure if there is a connection, but I'm going to look into it.

Re:Ok, this is strange

[stanleypane]

You seem very concerned. Better submit that last Slashdot comment before checking it out.

Re:Ok, this is strange

[digitalgimpus]

No games going...

and never really had portscan detection go off.

so far, looks like nothing signifigant, don't see any connection.

Just coincidence I guess.

I want my money back!

[netsavior]

Man if I had known that this software was vulnerable to worms I would never have bought it.

MySQL a real DB?

[Atomizer]

Does this mean MySQL is considered a real DB now?

Re:MySQL a real DB?

[KingBahamut]

Lol....REAL DATABASE features.....thats an odd term. Let us go to the Websters. 1. A collection of data arranged for ease and speed of search and retrieval 2. An organized body of related information 3. One or more large structured sets of persistent data, usually associated with software to update and query the data. A simple database might be a single file containing many records, each of which contains the same set of fields where each field is a certain fixed width. Now then I clearly think that My

Re:MySQL a real DB?

[oconnorcjo]

A simple database might be a single file containing many records, each of which contains the same set of fields where each field is a certain fixed width. Now then I clearly think that MySQL fits one or more of those definitions...making it a REAL DATABASE.....lol....wake up people.

What I think most people who talk about REAL DB'S are refering to is the ACID Test [about.com]. I have not checked recently but for the longest time MySQL failed those requirements.

Windows + Internet = Bad Things

[WoodstockJeff]

This is yet another reason to not attach a Windows-based computer to internet without a firewall. Of course, having a public-access SQL server (regardless of its software) isn't a particularly good idea, either.

For both of these, there are exceptional requirements that can negate these general rules, but anyone who has these requirements should know better than to not take exceptional measures to protect the server.

Re:Windows + Internet = Bad Things

[3dr]

Good points. And to just emphasize the underlying security issue, corporate environments are far from being safe havens, too. It's imperative the DB root account has a good password (for sufficient values of good!).

I run several MySQL servers on XP/w2k3server/linux boxes at work. All are closed to non-localhost access.

In fairness

[wowbagger]

In fairness, I would generalize your statement to:

Don't connect ANY computer to the Internet, or any other hostile network, without a firewall.

Now, you can argue that, in the case of some operating systems, the firewall built into the OS, when properly configured, is enough.

You can also argue that a firewall should be a firewall, and a firewall ONLY, and that any other services should be provided by another machine BEHIND the firewall.

And depending upon the circumstances, either argument can win.

However, if you think in terms of "First the firewall, THEN the services", you will be miles ahead.

Connecting a Linux box, or a *BSD box, or a Mac, or an AS/400, or .* to a hostile network with any non-trivial set of services running and no firewall, and it is going to have problems.

The problem here is that the people who set up the MySQL servers on these boxes did not insure they were firewalled - this could have happened just as easily to a Linux box with a similarly bad setup.

Re:Windows + Internet = Bad Things

[Malc]

You should be moderated troll. An overly anti-Microsoft zealot at that. This isn't about Windows. This is about MySQL and poor admins (weak passwords and poor firewall configuration).

Re:Windows + Internet = Bad Things

[WoodstockJeff]

Gee, according to the article, it's about MySQL, Poor Administration, and Windows. Remove any of the ingredients, and it's not a problem!

That said, Windows, by default, has a lot of things going on that the user is unaware of. Does the average Windows user know that LSASS is running? Or the Messenger service? And why does Windows default to loading MSMessenger, and fight most attempts to disable it?

And the firewall is considered laughable by many sources I've read, including Windows zealot sites. It's ver

Re:Windows + Internet = Bad Things

[WoodstockJeff]

You can still avoid this problem. Even if you have to have remote access, do NOT allow 'root' to log in remotely. Create another user, also password protected, to do root-like things on MySQL.

The way to do this:

use mysql;
grant all privileges on *.* to obscureusername@"%" identified by 'strongpassword' with grant option;
delete from user where host='localhost' and user='';
flush privileges;

Re:Mod parent down

[WoodstockJeff]

It exploits weak passwords to gain root within MySQL.

Just like so many worms exploit weak or non-existant administrator passwords in Windows XP to promote themselves to services. Weak passwords are worse than no password. At least no password means you know anyone can access your system. And Windows XP doesn't do much to discourage you from running as Administrator, and does a lot to prevent you from running as anything else (What? I can't sync my Palm Pilot without being an Administrator?!? DO IT!).

Don't keep the port open!

[hacker]

99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries across the network to the database server.

Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306. I know on most systems, its probably the default, but in almost all of the cases, its completely unnecessary.

And also, validate your input !! Don't just assume that whatever is passed on the URI field of a browser, is going to be correct. Check it. Then check it again.

Re:Don't keep the port open!

[Malc]

Good points that all good admins should consider in case they have an issue with their firewall (e.g. screwing reconfiguring open ports). If you don't have a firewall, then why not? If you're a home user on broadband, then why aren't you behind a cheap router?

Re:Don't keep the port open!

[drinkypoo]

Turning off networking makes remote administration more difficult. Why not just block the port? Every supported version of NT, plus the two most recent unsupported versions (and probably more) has port filtering. Just block those ports (or, you can default deny) on the external interface.

Re:Don't keep the port open!

[hacker]

"Turning off networking makes remote administration more difficult."

What 'remote administration' tools are you referring to? No open network port is required for remote administration.

Re:Don't keep the port open!

[drinkypoo]

By definition you need SOME kind of network port open for remote administration. Otherwise you can only connect locally. Or through serial I guess, but since the overwhelming majority of Windows software is manageable only via GUI, you really need Terminal svcs or VNC. However, I was talking specifically about being able to use a SQL client on another box to muck with the db. You could put mysqladmin on the box, but then you'd need a web server and php, and a http port open.

Re:Don't keep the port open!

[hacker]

"By definition you need SOME kind of network port open for remote administration. Otherwise you can only connect locally."

Almost right.

Since you should, as a good administrator, limit the number of ports open for potential exploits. This means using vnc-over-ssh (locked to specific incoming hosts, of course) to admin the box, instead of vnc (on 5900) and then 3306 for MySQL (which isn't secure anyway). This way, you keep one port open (22) instead of three ports (22, 3306, 5900).

But you can, and sho

Re:Don't keep the port open!

[Dausha]

if you are going to remote administer a server, you should first SSH into the server. Then as a "localhost" user, you can access the database. You wouldn't remote administer via the port. Or, at least, you should.

Re:Don't keep the port open!

[wolrahnaes]

"so disabling networking is not really viable on Windows is it?"

I don't know about other services, but MySQL on Win32 supports named pipes, and can use those instead of TCP/IP. It even asks in the installer if you want to disable networking.

Some info

[Squeebee]

Ok folks. This is a bot, and it uses weak root passwords to gain entry to MySQL. From there, it loads a BLOB in a table with a payload DLL, which it then writes to disk and loads as a MySQL UDF. The UDF is called, which creates the bot and the system is compromised.

Damage appears to be low as it is more spyware than anything, and you are only at risk if you A) Have not firewalled the MySQL Port, B) Have a root account that is allowed to login from anywhere, not just localhost, and C) Have a weak root password.

So, the fix is this:

A) Firewall port 3306
B) Remove the root@% account, only allow root@localhost
C) Set a strong password

I have more info at http://www.openwin.org/mike/index.php/archives/200 5/01/batten-the-hatches-mysql-targeting-bot-on-the -loose/

Re:Some info

[Squeebee]

Now with href goodness: http://www.openwin.org/mike/index.php/archives/200 5/01/batten-the-hatches-mysql-targeting-bot-on-the -loose/ [openwin.org]

Does mysql on windows have root@%?

[lorcha]

I just looked at my Debian and Gentoo installations and neither of them leave you vulnerable to this type of crap by default.

Who really creates an unpassworded root@% superuser account?

Re:Does mysql on windows have root@%?

[Squeebee]

Non-Windows installations are not vulnerible.

Re:Does mysql on windows have root@%?

[RollingThunder]

To having the DLL loaded, true.

However, if you're foolish/ignorant enough to have root@% with no password, then anyone can connect to your database remotely and browse your data to their hearts content.

temporary fix

[greechneb]

Open the Administrative Tools/Services app.
Find the "Event Monitor" service.
Open the Properties for this service.
You cannot pause or stop this service, so set the General/Startup Type to Disabled.
On the Recovery tab, set all 3 failure actions to Take No Actions.

Reboot.

Since the service didn't start, spoolcll.exe is not running.
Delete it (or whatever).

But, do not delete the service, as its existence will prevent new copies of the virus from activating.

Re:temporary fix

[advocate_one]

Reboot?!?!?!?!?! surely not... oh you're talking about ms-windows here... not Linux.

MySQL in practice

[Marcus Erroneous]

Well, I'm pretty sure I've got that port blocked already, but . . .
I stood up MySQL on a Linux box and on a Win2k box to show that, unlike MSSQL, MySQL ran on more than one platform. One database could be deployed to both platforms with the ability to keep the application running even if one goes down. Instead of having the app be entirely offline, you can bring the other over very quickly. Did this just after the first MSSQL worm to show that there are alternatives and that entire sites don't have to go down because of one bug. Now we're working on deploying some Linux clusters.

People have their DB open to the world?!

[Abcd1234]

Good lord, are you kidding? I would assume any reasonable organization that was accessing their database over a network would keep the webserver on a DMZ and the database server behind a firewall that's tightened up and only allows access to the database from the DMZ. Isn't this, uh, kinda obvious? And, of course, if the database and the webserver are on the same box, *why* is remote access enabled at all?

MyWorm

[Doc Ruby]

We've got the source code. Where's the hole? And, more important from the OSS perspective, where's the patch? And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?

Re:MyWorm

[catenos]

We've got the source code. Where's the hole?

The worm doesn't use a hole within MySQL, but only bad admin passwords. In short, it's a problem with people not a technical one.

But there are mitigating factors:
- MySQL allows loading of libraries (UDF) for users with the right privileges (of which root usually is one, of course), which is a powerful feature and that power can be abused.
- The worm requires that MySQL is set up for networking, and that the port is freely reachable from the internet.

And, more

Re:MyWorm

[catenos]

I already answered to the second part, too. Usually there are work-arounds available. I am not sure which experience you are referring to, but I see professionals to wait for official patches and vendor updates, usually. Applying patches manually seems to be the exception, not the rule.

But let's assume people do what you say and your scenario would happen. Why would this be a vulnerablity? What is the problem? Actually, I see it as another advantage of OOS. With binary software, you *have* to use a work-ar

wooooo the scary worm is after me

[DanGroom]

So, having RTFA I'm not even slightly concerned. I have mysql running on windows, but since the exploit this thing uses requires a)straight up access vis the internet (eg, no firewall) and b) a brute force atack on the root password, I feel pretty safe. As should anyone else who's behind a firewall and who's root mysql password isn't '12345'....

serious?

[dtfinch]

"the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password."

This makes MySQL look about as vulnerable as ssh.

Good

[Pan T. Hose]

Does it mean that MySQL is now officially "ready for the desktop"? Hopefully, the Linux version will be next.

MySQL on Win32, market share

[HvitRavn]

No need to flame people who use MySQL on win32. This has been briefly mentioned already, but here's a slightly better explanation. One of MySQL's major advantages over other free medium-to-lightweight (such as pgsql) is that MySQL has been available for the win32 platform for a very long period of time (if you are about to mention firebird, take a look here [sourceforge.net]). This enabled developers to install their webserver of choice (apache) with some cool script mod (php) alongside a database well suited for small to medium web projects (mysql). So if you are a supporter of (F)OSS, then you better not flame people who use MySQL on win32, because that is one of the reasons why MySQL is so popular today.

Time to check auth.log and firewall rules...

[MyHair]

Jan 27 09:57:27 (fakehostname) mysqld[338]: refused connect from 217.224.(#).(#)

Jan 27 09:57:47 (fakehostname) last message repeated 21 times

(A few more like this were in the log.)

D'oh! Didn't realize I had it open. At least I'm on Linux and don't have a blatantly obvious root password. PostgreSQL installed with IP off by default; I guess MySQL didn't. I don't even rememeber why MySQL's installed...some php toy I guess. PostreSQL and MSSQL ports are already blocked even though I don't have MSSQL.

Time to update the firewall (dedicated and local), MySQL config and revisit password strength. Maybe I should finally go to a deny by default policy....

Re:Windows

[TedCheshireAcad]

Don't laugh - it happens. MSSQL is 'spensive, and for an all-windows environment that needs a database - MySQL wins the prize.

/took your comment too seriously

Re:Windows

[Directrix1]

Only because people don't know about Firebird.

Re:Windows

[pr0c]

and now postgres

Re:Windows

[nurb432]

Or the ones that dont know the native PostgreSQL for win32 is now out..

Re:Windows

[daeley]

Only because people don't know about Firebird.

Web browser, right? Wonder what ever happened to them... ;)

Re:Windows

[einhverfr]

Only because people don't know about Firebird.

Or PostgreSQL.

Thinking of it, it would be possible to write a virus that would spread through PostgreSQL systems that were improperly secured (set to Trust authentication on network ports). It could then create a stored procedure using an untrusted language like plpythonu or plerlu if these are installed and create something that scans the network looking for others to infect.

Unfortunately no rdbms is likely to be fully immune except maybe Oracle and only

Re:Windows

[einhverfr]

Last time I looked at firebird I seem to recall having an issue with it not recognizing case, which wasn't a good thing.

As per SQL spec (relation and attribute names only, of course). Data is case sensitive by default.

Of course, most other databases default all case to lower, while Firebird/Interbase defaults all case to upper, so this does create a portability issue by different readings of the spec.

Actually, MySQL's behavior is the one which is broken.

Re:Windows

[forrestt]

Or maybe it was Linux.... I could swear the reason I dismissed it was over that... maybe I'm just crazy.

This is from MySQL 3.23.58 on Linux

mysql> select firstName from person where firstName = "Forrest";
+-----------+
| firstName |
+-----------+
| Forrest |
+-----------+
1 row in set (0.00 sec)

mysql> select firstName from person where firstName = "forrest";
+-----------+
| firstName |
+-----------+
| Forrest |
+-----------+
1 row in set (0.00 sec)

So, yes it is case INsensitive. (But I can't really do anythi

Re:Windows

[Malc]

There's always PostgreSQL [postgresql.org].

/continuing being too serious ;)

Re:Windows

[Tony Hoyle]

90% of tasks can be handled by the free MSDE install.. there's a 2GB limit, but a lot of tasks simply don't need that kind of size.

MySql is expensive too (300 per client, unless you want to GPL all your software).

Re:Windows

[cbiltcliffe]

MySql is expensive too (300 per client, unless you want to GPL all your software).

No, $300 per server, and you don't have to GPL anything unless you redistribute it with the freely downloaded MySQL.

Re:Windows

[greechneb]

People who use windows for other things, and don't want to pay for the MSSQL license. You'd be suprised, there are several people I know who use this, just because they are lazy and cheap.

Re:Windows

[UnderAttack]

Well, Apache, PHP and MySQL run just fine in Windows. Many people run Linux on servers, but Winows on Developer desktops (which then have Apache, php and mysql installed).

Re:Windows

[_xeno_]

Exactly. There are something like seven developer systems running Windows that have MySQL and a web server on them for webapp development in the section I work for. Then, later, the webapp gets uploaded to a Solaris machine where the users actually use it.

I also have MySQL on my home Windows machine, since that's what my hosting provider offers. So I do some basic testing on Apache on Windows with MySQL as the database backend.

Re:Windows

[Kick the Donkey]

PHP: True cross-platform programming... ;)

Re:Windows

[gmuslera]

I'll bet that the worm takes advantage of default installation of MySQL made by PHPTriad [sourceforge.net] or another "easy" way to install under windows mysql along with i.e. php and apache for this case

In linux by default in a lot of distributions being able to connect from network is disabled in mysql, or sets root password as php password, so the risk of that kind of worm (well, for systems that don't have even a basic firewall configured) is pretty low.

Re:Windows

[ultranova]

In linux by default in a lot of distributions being able to connect from network is disabled in mysql, or sets root password as php password,

How does the installer do this, considering that root password is stored in hashed format, and thus should be theoretically unviewable ? Does the installer brute-force it, or does MySQL accept passwords in their hashed form, or does the installer simply ask the root password and then verify it ?

Re:Windows

[ajs318]

Linux passwords are scrambled, but the root user can read the scrambled password file. The first part of the scrambled password ($1$, eight letters/digits, $) is the "salt". The same plaintext password and the same salt will always produce the same scrambled password. The password scrambling algorithm is a standard C library function, so almost every programme uses it, not just the login validator.

Upshot: if you copy a scrambled password from one user to another, or out of /etc/shadow into a .htpasswd {apache password file; used to password-protect directories} or something similar, it'll Just Work.

MySQL actually uses a different password hashing algorithm, unless you tweaked the source, but I think the parent is talking about PHPMyAdmin. This creates a standard .htpasswd file when it is installed, and it uses root's UNIX password. Note you still have to supply PHPMyAdmin with a MySQL username and password. By default, MySQL has a user called "root" with no password who is only allowed to login locally. This is considered secure enough for most applications.

NB: it's generally a very bad idea to use the same password for login and database. One dodgy web hosting company I have experienced actually did this. The MySQL username and password have to be in your user directory somewhere, in plaintext, and they have to be world-readable so the Apache daemon can see them. Upshot: any user can see any other user's database username and password. {This is why the root/no password combination isn't so insecure as it looks.} Ordinarily, the PHP {or Perl or Python} interpreter gets them first, and the user only ever sees the output from the interpreter; but you can pay for an account with the same company, determine the directory structure reasonably easily, and use a simple PHP, Perl, Python or Bash script to traverse other users' directories looking for passwords. If the database username and password is the same as the UNIX password then you can have much fun, since these passwords are also good for FTP, POP3 and SSH.

I really need to remember to check the HTML option

[LetterJ]

I rewrote PHPTriad, securing the default password for root and did so 3 years ago. The new product is Sokkit [sokkit.net]. However, Sourceforge won't let me take PHPTriad down, point to the new commercial version or in any way indicate the project has been shut down.

The only reason I left it alone in the old PHPTriad package was that was how MySQL themselves ship the setup. The official MYSQL binaries have (unless it's changed very recently) *no* password on the root account unless you deliberately go and change it.

Re:Windows

[edremy]

Us. I just inherited our electronic portfolio system, which runs Apache/Tomcat/MySQL on Windows2000. We're mostly a Windows shop, and it runs fine. (Well, sorta fine, but I think that's mostly some problems with the portfolio, not A/T/M.)

Re:Windows

[weopenlatest]

I use mysql at the web shop I work for. The reason is that we're in the process of moving a legacy ASP application to LAMP, and running both PHP and ASP on the same box was SUPPOSED to be a timesaver by smoothing over the transition. I was against this idea from the beginning, arguing that mysql and php on windows were a underdeveloped compared to the linux/unix versions. Now I have a nice 'I told you so' that the managers can understand.

Re:Windows

[outZider]

Because PostgreSQL doesn't have as large of a community, can be a pain in the ass to administer, and doesn't have the same cross platform toolset as MySQL has accumulated over the years. Technically, PostgreSQL is superior, but in practice, most won't care or know the difference.

What?

[Anonymous Coward]

Do you realize how much of a pain it was to get postgres working on Windows until fairly recently?

Re:What?

[einhverfr]

Do you realize how much of a pain it was to get postgres working on Windows until fairly recently?

Not only that but the Cygwin port didn't scale too well. That was one of the real issues why the Windows port was so important even for those of us using Cygwin.

Re:That's why...

[Anonymous Coward]

Read the article. It's not exploting a security hole in MySQL. It's exploiting MySQL installations that:

a) Are not firewalled to the world (who'd make a DB accessible directly to the Internet?)

b) Allow root/admin connections from the outside.

c) Have weak root/admin passwords.

You can chalk this one up to careless admins - something I'm sure PostgreSQL is not immune to either.

Re:That's why...

[Dysan2k]

You can chalk this one up to careless admins - something I'm sure PostgreSQL is not immune to either.

Nothing is. Postgres folk can cry all they want, and so can MySQL, mSQL, Oracle, Informix, Sybase, Firebird, etc. It makes no difference. If you have no password, you can get into it.

Amazes me sometimes the rabidness of the db crowd. It's a database, folks. It stores data. It's not an AI.

Re:That's why...

[jadavis]

Although I am a postgresql advocate, I want to caution users that win32 is very different from UNIX. PostgreSQL doesn't have a long track record on win32, merely a lengthy beta test. So, it's a great database, but stop short of assuming that PostgreSQL's legendary reliability was translated perfectly to win32. After a few more months of real-world testing, you can be much more sure.

Re:That's why...

[notque]

Most serious people deploy PostgreSQL on Windows, if they're deploying anything on it at all.

Solid reliability, transaction support, and a good security track record. Probably the best thing short of switching to an AS/400.

You are a chewley's gum representitive? and you're here stiring up all this commontion for what? To sell more gum?

Get outta here.

Re:That's why...

[WoodstockJeff]

And if they have a blank password and no firewall are they any more secure than a MySQL user?

Vastly. By default, Postgres won't do anything. You need to actively administer it to accept even local connections, let alone activate TCP/IP.

Re:more windows problems on the way

[DrSkwid]

Particulary for applications like MySQL Linux is the OS of choice.

I love that, they DO go together rather well.

I hope you see the irony of that =)

I can't believe some of those windows freaks that are still out there call themselves professionals.

Linux : by amateurs, for amateurs.

Re:That's why...

[jadavis]

It would be nice if application developers made their apps database agnostic, but it rarely seems to happen.

That might be fine if your application uses only the features supported by all databases.

If you want more, you end up with a huge mess of bug-prone client side database operations. To ensure consistency of the data you have to do a HUGE amount of client side work because some databases don't support check constraints or constraint triggers. And all the other features it's the same deal: a huge amou

Re:Clarity

[Anonymous Coward]

That doesn't change the fact that there are flaws in MySQL that need to be fixed.

Re:Clarity

[Fred_A]

Flaws such as letting people install it that are clueless enough to put it on Internet connected machines without setting passwords for administrative accounts ?

That'll be a tough one to patch...

Re:So it's the admins' fault?

[sloanster]

Let me make sure that my understanding is aligned with the Slashbot collective.

When a clueless admin doesn't secure Windows, it's Windows' fault. But when a clueless admin doesn't secure an OSS application, it's the admin's fault.

Yes, you've got the drill down pat:

Whenever another windows security crisis arises, immediately try to make light of it with sarcasm like what you've written above. The whole idea is to start a flamewar, and divert attention away from the real issues. Extra points if you can m

Re:Clarity

[picklepuss]

Nice try, but I you only took in a minor part of the equation, and so you fail

While it's true, the worm could probably intrude a *nix mySQL server that was open to the internet with a default password of ''... intrusion is only part of the game plan. The payload is the important part

In this case, I doubt that installing the exe on a *nix box is going to do much good. Even if the writer were to create a *nix specific script for the payload, I'm pretty sure it would be given the mysql uid/gid, and probabl

Re:Doesn't seem that vital of a worm

[I confirm I'm not a]

if you are downloading it and installing it then you obviously have a reson to use it, and are more likely to set an actual password.

I'd like to agree with you - I've installed MySQL (plus Apache and mod_php) on Windows boxes before now, for development (production server is a Solaris box, but my boss - for some bizarre reason - won't fork out for a Sparcstation for me ;) However - many developers I know believe that dev machines don't merit the same kind of hardening as production machines. "Hey! We're

Re:Doesn't seem that vital of a worm

[Zaiff Urgulbunger]

However - many developers I know believe that dev machines don't merit the same kind of hardening as production machines. "Hey! We're behind the firewall, we're safe!"
I'm not justifying what they're doing, but if they're behind a firewall then shouldn't they be safe from this worm? Surely the people getting infected are the people with MySQL ports open directly on the int0rweb *and* no hardening.

Maybe this'll serve as a wake-up call.
True!

Re:Doesn't seem that vital of a worm

[david duncan scott]

Well, on those grounds MSSQL worms aren't an issue either, because believe me, SQLServer does not come with Windows either. Apparently shelling out good money [cdw.com] hasn't stopped people from leaving the SA p/w blank.