MySQL Security Alert 2005-01-27
MySQL Security Alert 2005-01-27
am 28.01.2005 03:47:16 von Arjen Lentz
There is a bot active on the internet that is infecting Windows machines
running MySQL Server:
http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd4544 4a570b
An alert with background information is already available on:
http://dev.mysql.com/tech-resources/articles/security_alert. html
The following message contains practical information about how to
protect your system.
1. What is the UDF Worm?
The UDF Worm is self-propagating code that is finding MySQL servers
running on Microsoft Windows with poor firewall and password security.
This worm does not exploit any bugs in MySQL. It does exploit poor
security setups for firewalls and passwords.
This worm is Microsoft Windows specific, however firewall and password
security is important on any platform.
2. What is a User Defined Function (UDF)?
A User Defined Function, often referred to as a UDF, is a part of the
ANSI SQL-99 specification. This feature allows developers to create
custom functions. It is a common feature among the major database
products.
3. What does the UDF Worm do?
The UDF Worm looks for MySQL servers running on Microsoft Windows that
have been exposed to the internet and have either weak or no passwords
installed on the account named "root". Once it finds an account it
installs a UDF, and then uses that machine to scan for other machines
that can possibly be infected.
4. How do I know if my MySQL installation has been infected?
Run the following SQL statement: SELECT * FROM mysql.func;
If a UDF is found with a name of "app_result" then you have probably
been infected with the worm.
You should look at all UDFs and determine whether or not they are
legitimate. The worm is likely to mutate over time and will take on
different UDF names.
You may be able to remove this UDF by running the following SQL
statement: DROP FUNCTION app_result;
Please note however that this does not not remove the worm itself once
your system has been infected. See the next section for further details.
5. How do I disinfect my system?
As the worm is of a known family called "WootBot" or "SpyBot", most
virus scanners will pick up the executable with their existing
signature files and alert you.
F-Secure provides additional information on this type of "bot" as well
as tools for removing it:
http://www.f-secure.com/v-descs/wootbot.shtml
To prevent any unauthorized person or program from connecting to your
database you should verify that all of your current accounts have
passwords and that they are strong passwords (i.e. not easily
guess-able). Remember to always use firewalls and strong passwords to
protect your MySQL Servers.
Please consult your security advisors for the best way to protect your
systems.
6. How do I protect my MySQL Servers on Microsoft Windows?
There are 2 basic steps to protect your MySQL Servers:
1. Always use strong passwords on all accounts.
2. Use firewalls to protect your MySQL Servers.
The Windows installation procedure in MySQL 4.1 and up takes additional
steps to ensure that users create a secure setup.
For information about securing your root account on an existing
installation, see
http://dev.mysql.com/doc/mysql/en/default-privileges.html and
http://dev.mysql.com/doc/mysql/en/security-against-attack.ht ml.
Specifically, ensure that the root account has a STRONG password that
cannot be easily guessed.
Also, remove the root@'%' account from the grant tables. Connect to the
MySQL server as root, the following example uses the 'mysql' command
line client. Search for "mysql.exe" in on your hard drive, and Run this
program with the parameters "-u root -p".
Enter password: *****
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.9-nt
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> DELETE FROM mysql.user WHERE host = '%' AND user = 'root';
Query OK, 1 row affected (0.03 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.05 sec)
mysql> quit
This will prevent root logins from other machines.
If you don't require any access to the database server from other
machines, you can even disable networking completely by using the
skip-networking option in your configuration file and restarting the
server. You can also use MySQL Administrator to edit your MySQL
configuration. Local connections are handled via named pipes on an NT
based system (Windows NT4, 2000, XP, 2003).
7. Is this a vulnerability on Microsoft Windows, Linux, or Unix?
This worm is Microsoft Windows specific, however firewall and password
security is important on any platform.
If your server is behind a firewall, and you have a strong root password
you are not vulnerable to this worm. If not, take the necesscary steps
now to protect your system.
Learn more about strong passwords and firewall setups for Microsoft
Windows here:
http://www.microsoft.com/resources/documentation/windows/xp/ all/proddocs/en-us/windows_password_tips.mspx
http://www.microsoft.com/athome/security/protect/firewall.ms px
8. What is MySQL AB doing about this?
MySQL takes security very seriously and continually seeks to further
improve the intrinsic and default security of the MySQL software, to
protect users regardless of their experience or configuration choices.
In addition, we are working on a set of proactive services to help alert
you to bugs, security issues and new features.
Naturally we will also continue to educate our users about security (strong
passwords and firewalls) on all platforms.
9. Where can I report my observations?
Please report all security issues to security@mysql.com
Regards,
Arjen.
--
Arjen Lentz, Community Relations Manager
MySQL AB, www.mysql.com
MySQL Users Conference (Santa Clara CA, 18-21 April 2005)
Early registration until February 28: www.mysqluc.com
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql@m.gmane.org
RE: MySQL Security Alert 2005-01-27
am 28.01.2005 23:13:03 von kjanuski
------_=_NextPart_001_01C50586.896102C0
Content-Type: text/plain;
charset="iso-8859-1"
Thanks for a very full account of this bot. I've been looking for some
in-depth analysis.
-----Original Message-----
From: Arjen Lentz [mailto:arjen@mysql.com]
Sent: Thursday, January 27, 2005 9:47 PM
To: announce@lists.mysql.com; mysql; win32@lists.mysql.com
Subject: MySQL Security Alert 2005-01-27
There is a bot active on the internet that is infecting Windows machines
running MySQL Server:
http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd4544 4a570b
An alert with background information is already available on:
http://dev.mysql.com/tech-resources/articles/security_alert. html
The following message contains practical information about how to
protect your system.
1. What is the UDF Worm?
The UDF Worm is self-propagating code that is finding MySQL servers
running on Microsoft Windows with poor firewall and password security.
This worm does not exploit any bugs in MySQL. It does exploit poor
security setups for firewalls and passwords.
This worm is Microsoft Windows specific, however firewall and password
security is important on any platform.
2. What is a User Defined Function (UDF)?
A User Defined Function, often referred to as a UDF, is a part of the
ANSI SQL-99 specification. This feature allows developers to create
custom functions. It is a common feature among the major database
products.
3. What does the UDF Worm do?
The UDF Worm looks for MySQL servers running on Microsoft Windows that
have been exposed to the internet and have either weak or no passwords
installed on the account named "root". Once it finds an account it
installs a UDF, and then uses that machine to scan for other machines
that can possibly be infected.
4. How do I know if my MySQL installation has been infected?
Run the following SQL statement: SELECT * FROM mysql.func;
If a UDF is found with a name of "app_result" then you have probably
been infected with the worm.
You should look at all UDFs and determine whether or not they are
legitimate. The worm is likely to mutate over time and will take on
different UDF names.
You may be able to remove this UDF by running the following SQL
statement: DROP FUNCTION app_result;
Please note however that this does not not remove the worm itself once
your system has been infected. See the next section for further details.
5. How do I disinfect my system?
As the worm is of a known family called "WootBot" or "SpyBot", most
virus scanners will pick up the executable with their existing
signature files and alert you.
F-Secure provides additional information on this type of "bot" as well
as tools for removing it:
http://www.f-secure.com/v-descs/wootbot.shtml
To prevent any unauthorized person or program from connecting to your
database you should verify that all of your current accounts have
passwords and that they are strong passwords (i.e. not easily
guess-able). Remember to always use firewalls and strong passwords to
protect your MySQL Servers.
Please consult your security advisors for the best way to protect your
systems.
6. How do I protect my MySQL Servers on Microsoft Windows?
There are 2 basic steps to protect your MySQL Servers:
1. Always use strong passwords on all accounts.
2. Use firewalls to protect your MySQL Servers.
The Windows installation procedure in MySQL 4.1 and up takes additional
steps to ensure that users create a secure setup.
For information about securing your root account on an existing
installation, see
http://dev.mysql.com/doc/mysql/en/default-privileges.html and
http://dev.mysql.com/doc/mysql/en/security-against-attack.ht ml.
Specifically, ensure that the root account has a STRONG password that
cannot be easily guessed.
Also, remove the root@'%' account from the grant tables. Connect to the
MySQL server as root, the following example uses the 'mysql' command
line client. Search for "mysql.exe" in on your hard drive, and Run this
program with the parameters "-u root -p".
Enter password: *****
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.9-nt
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> DELETE FROM mysql.user WHERE host = '%' AND user = 'root';
Query OK, 1 row affected (0.03 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.05 sec)
mysql> quit
This will prevent root logins from other machines.
If you don't require any access to the database server from other
machines, you can even disable networking completely by using the
skip-networking option in your configuration file and restarting the
server. You can also use MySQL Administrator to edit your MySQL
configuration. Local connections are handled via named pipes on an NT
based system (Windows NT4, 2000, XP, 2003).
7. Is this a vulnerability on Microsoft Windows, Linux, or Unix?
This worm is Microsoft Windows specific, however firewall and password
security is important on any platform.
If your server is behind a firewall, and you have a strong root password
you are not vulnerable to this worm. If not, take the necesscary steps
now to protect your system.
Learn more about strong passwords and firewall setups for Microsoft
Windows here:
http://www.microsoft.com/resources/documentation/windows/xp/ all/proddocs/en-
us/windows_password_tips.mspx
http://www.microsoft.com/athome/security/protect/firewall.ms px
8. What is MySQL AB doing about this?
MySQL takes security very seriously and continually seeks to further
improve the intrinsic and default security of the MySQL software, to
protect users regardless of their experience or configuration choices.
In addition, we are working on a set of proactive services to help alert
you to bugs, security issues and new features.
Naturally we will also continue to educate our users about security (strong
passwords and firewalls) on all platforms.
9. Where can I report my observations?
Please report all security issues to security@mysql.com
Regards,
Arjen.
--
Arjen Lentz, Community Relations Manager
MySQL AB, www.mysql.com
MySQL Users Conference (Santa Clara CA, 18-21 April 2005)
Early registration until February 28: www.mysqluc.com
--
MySQL Windows Mailing List
For list archives: http://lists.mysql.com/win32
To unsubscribe:
http://lists.mysql.com/win32?unsub=kjanuski@phillynews.com
------_=_NextPart_001_01C50586.896102C0--
RE: MySQL Security Alert 2005-01-27
am 28.01.2005 23:25:11 von James Frankman
Couldn't you also stop this bot by setting the max_connect_errors =
variable to a lower number? i.e. max_connect_errors=3D10=20
My understanding is that MySQL will block a client after making more =
failed requests than the max_connect_errors variable's setting. We are =
behind a firewall, but I am considering setting this variable to 10 or =
so just to be extra careful. Does anyone see a problem with doing this?
-----Original Message-----
From: Januski, Ken [mailto:kjanuski@phillynews.com]
Sent: Friday, January 28, 2005 3:13 PM
To: win32@lists.mysql.com
Subject: RE: MySQL Security Alert 2005-01-27
Thanks for a very full account of this bot. I've been looking for some
in-depth analysis.
-----Original Message-----
From: Arjen Lentz [mailto:arjen@mysql.com]
Sent: Thursday, January 27, 2005 9:47 PM
To: announce@lists.mysql.com; mysql; win32@lists.mysql.com
Subject: MySQL Security Alert 2005-01-27
There is a bot active on the internet that is infecting Windows machines
running MySQL Server:
http://isc.sans.org/diary.php?isc=3Da508f4a185755af19ea8bd45 444a570b
An alert with background information is already available on:
http://dev.mysql.com/tech-resources/articles/security_alert. html
The following message contains practical information about how to
protect your system.
1. What is the UDF Worm?
The UDF Worm is self-propagating code that is finding MySQL servers
running on Microsoft Windows with poor firewall and password security.
This worm does not exploit any bugs in MySQL. It does exploit poor
security setups for firewalls and passwords.
This worm is Microsoft Windows specific, however firewall and password
security is important on any platform.
2. What is a User Defined Function (UDF)?
A User Defined Function, often referred to as a UDF, is a part of the
ANSI SQL-99 specification. This feature allows developers to create
custom functions. It is a common feature among the major database
products.
3. What does the UDF Worm do?
The UDF Worm looks for MySQL servers running on Microsoft Windows that
have been exposed to the internet and have either weak or no passwords
installed on the account named "root". Once it finds an account it
installs a UDF, and then uses that machine to scan for other machines
that can possibly be infected.
4. How do I know if my MySQL installation has been infected?
Run the following SQL statement: SELECT * FROM mysql.func;
If a UDF is found with a name of "app_result" then you have probably
been infected with the worm.
You should look at all UDFs and determine whether or not they are
legitimate. The worm is likely to mutate over time and will take on
different UDF names.
You may be able to remove this UDF by running the following SQL
statement: DROP FUNCTION app_result;
Please note however that this does not not remove the worm itself once
your system has been infected. See the next section for further details.
5. How do I disinfect my system?
As the worm is of a known family called "WootBot" or "SpyBot", most
virus scanners will pick up the executable with their existing
signature files and alert you.
F-Secure provides additional information on this type of "bot" as well
as tools for removing it:
http://www.f-secure.com/v-descs/wootbot.shtml
To prevent any unauthorized person or program from connecting to your
database you should verify that all of your current accounts have
passwords and that they are strong passwords (i.e. not easily
guess-able). Remember to always use firewalls and strong passwords to
protect your MySQL Servers.
Please consult your security advisors for the best way to protect your
systems.
6. How do I protect my MySQL Servers on Microsoft Windows?
There are 2 basic steps to protect your MySQL Servers:
1. Always use strong passwords on all accounts.
2. Use firewalls to protect your MySQL Servers.
The Windows installation procedure in MySQL 4.1 and up takes additional
steps to ensure that users create a secure setup.
For information about securing your root account on an existing
installation, see=20
http://dev.mysql.com/doc/mysql/en/default-privileges.html and=20
http://dev.mysql.com/doc/mysql/en/security-against-attack.ht ml.
Specifically, ensure that the root account has a STRONG password that
cannot be easily guessed.
Also, remove the root@'%' account from the grant tables. Connect to the
MySQL server as root, the following example uses the 'mysql' command
line client. Search for "mysql.exe" in on your hard drive, and Run this
program with the parameters "-u root -p".
Enter password: *****
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.9-nt
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> DELETE FROM mysql.user WHERE host =3D '%' AND user =3D 'root';
Query OK, 1 row affected (0.03 sec)
=20
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.05 sec)
mysql> quit
This will prevent root logins from other machines.
If you don't require any access to the database server from other
machines, you can even disable networking completely by using the
skip-networking option in your configuration file and restarting the
server. You can also use MySQL Administrator to edit your MySQL
configuration. Local connections are handled via named pipes on an NT
based system (Windows NT4, 2000, XP, 2003).
7. Is this a vulnerability on Microsoft Windows, Linux, or Unix?
This worm is Microsoft Windows specific, however firewall and password
security is important on any platform.=20
If your server is behind a firewall, and you have a strong root password
you are not vulnerable to this worm. If not, take the necesscary steps
now to protect your system.
Learn more about strong passwords and firewall setups for Microsoft
Windows here:
http://www.microsoft.com/resources/documentation/windows/xp/ all/proddocs/=
en-
us/windows_password_tips.mspx
http://www.microsoft.com/athome/security/protect/firewall.ms px
8. What is MySQL AB doing about this?
MySQL takes security very seriously and continually seeks to further
improve the intrinsic and default security of the MySQL software, to
protect users regardless of their experience or configuration choices.
In addition, we are working on a set of proactive services to help alert
you to bugs, security issues and new features.
Naturally we will also continue to educate our users about security =
(strong
passwords and firewalls) on all platforms.
9. Where can I report my observations?
Please report all security issues to security@mysql.com
Regards,
Arjen.
--=20
Arjen Lentz, Community Relations Manager
MySQL AB, www.mysql.com
MySQL Users Conference (Santa Clara CA, 18-21 April 2005)
Early registration until February 28: www.mysqluc.com
--=20
MySQL Windows Mailing List
For list archives: http://lists.mysql.com/win32
To unsubscribe:
http://lists.mysql.com/win32?unsub=3Dkjanuski@phillynews.com
--
MySQL Windows Mailing List
For list archives: http://lists.mysql.com/win32
To unsubscribe: http://lists.mysql.com/win32?unsub=3Dgcdmw-win32@m.gmane.org