MySQL Bot Alert - Secure Your Servers

MySQL Bot Alert - Secure Your Servers

am 27.01.2005 22:09:50 von Mike Hillyer

There is a new bot spreading on the Internet that targets insecure MySQL
installations on Windows, as reported at
http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd4544 4a570b.

I am now going to quote the advisory:

--------------------------------------------------
Infection Method

The bot uses the "MySQL UDF Dynamic Library Exploit". In order to launch
the exploit, the bot first has to authenticate to mysql as 'root' user.
A long list of passwords is included with the bot, and the bot will
brute force the password.

Once connected, the bot will create a table called 'bla' using the
database 'mysql'. The 'mysql' database is typically used to store
administrative information like passwords, and is part of every mysql
install. The only field in this database is a BLOB named 'line'.

Once the table is created, the executable is written into the table
using an insert statement. Then, the content of is written to a file
called 'app_result.dll' using 'select * from bla into dumpfile
"app_result.dll"'. The 'bla' table is dropped once the file is created.

In order to execute the 'app_result.dll', the bot creates a mysql
function called 'app_result' which uses the 'app_result.dll' file saved
earlier. This function is executed, and as a result the bot is loaded
and run.
------------------------------------------------------

This bot will then attempt to infect other machines.

MySQL installations are at risk if proper security practices have not
been followed.

You need to act now to secure your Windows MySQL installation from this
bot and help prevent the spread of the worm. The steps are very simple:

1. Firewall port 3306 from outside access. No MySQL servers should ever
be exposed directly to the internet. If you do not have a firewall, look
at the various free software firewalls available.

2. Secure your root account. See
http://dev.mysql.com/doc/mysql/en/default-privileges.html and
http://dev.mysql.com/doc/mysql/en/security-against-attack.ht ml.

Specifically, ensure that the root account has a STRONG password that
cannot be easily guessed, and remove the root@% account from the grant
tables:

Enter password: *****
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.9-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use mysql;
Database changed

mysql> DELETE FROM user WHERE host = '%' AND user = 'root';
Query OK, 1 row affected (0.03 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.05 sec)

mysql>

This will prevent logins from external machines.

3. Disable networking. If feasible, remove network access to MySQL
completely by using the skip-networking option in your configuration
file and restarting the server. You can still connect via named pipes on
an NT based system.

If your server is behind a firewall, and you have a strong root password
you are not vulnerible to this worm. If not, take the necesscary steps
now to ensure that your system is not infected.
--
Mike Hillyer, Technical Writer
MySQL AB, www.mysql.com
Office: +1 403-380-6535
Mobile: +1 403-330-0870

MySQL User Conference (Santa Clara CA, 18-21 April 2005)
Early registration until February 28: www.mysqluc.com

--
MySQL Windows Mailing List
For list archives: http://lists.mysql.com/win32
To unsubscribe: http://lists.mysql.com/win32?unsub=gcdmw-win32@m.gmane.org