Worm Hits Windows Machines Running MySQL

/. and SANS ^ | 01/27/2005 | various

[zeugma]

"A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

[zeugma]

Those of you out there that are running MS-SQL should probably be checking the boxes out extensively for unusual behavior.

Microsoft just announced record earnings again. I guess that's easier when you don't have to worry about debugging your code, or the damage defective products do to clients.

[Texas_Jarhead]

This excerpt appears to be about MySQL not MS SQL Server.

[ScottM1968]

A good reason to consider PostgreSQL.

[sigSEGV]

You may want to reread this :) . This affects MYSQL, not MS-SQL. Mysql is an open source database --- and its just taking advantage of poorly configured servers, not a flaw in the product itself.

[aomagrat]

YourSQL?

[1LongTimeLurker]

None of my Macs appear to be having any problems.

:-)

[zeugma]

Just damn.

All of you are correct, I misread the thing entirely. I guess I can expect quite a few deserved flamaes. It is definitely a good idea to secure your SQL server better than I proofed the post. :-)

In my defense, MSSQL was mentioned, but only in referring to past vulnerabilities discovered.

[Texas_Jarhead]

no problem, happens to us all

[Golden Eagle]

Microsoft just announced record earnings again. I guess that's easier when you don't have to worry about debugging your code, or the damage defective products do to clients.

Microsoft announced record earnings again because they have the best products, period. In your haste to spew hate, you didn't even notice this problem is strictly related to another one of your foreign pieces of freeware, MySQL. Must suck to be you about now.

[zeugma]

Everyone gets one free bash as my pennance tonight. That was yours. Have a great evening!

[Bloody Sam Roberts]

YourSQL?

No. HisSQL.

[Eagle9]

I posted an article on this tonight. It ended up in the Bloggers/Personal Forum.

MySQL Malware Just Wants to Chat

Unix and Linux systems running MySQL currently are not at risk from the bot.

[zeugma]

Unix and Linux systems running MySQL currently are not at risk from the bot.

Ya, but the way methods used to hack MySQL might be valid in the Unix world ao care should be taken. Of course, anyone who leaves the default administrator password on their database pretty much deserves to be rooted.

[Eagle9]

Of course, anyone who leaves the default administrator password on their database pretty much deserves to be rooted.

LOL !   Yeah, I agree.

[ShadowAce]

Ya, but the way methods used to hack MySQL might be valid in the Unix world ao care should be taken.

This was a brute-force method for compromising the servers. Keep strong passwords, and you should be OK.

Basically, what this thing does is keep a list of common passwords and just tries them all until one works. Use non-dictionary, mixed-case, alphanumeric/symbolic passwords and you should be fine.

[smith288]

MySQL should never have a default password for root and their install should never allow it. Thats just ASKING for a worm.

[antiRepublicrat]

Microsoft announced record earnings again because they have the best products, period

Then by your logic, Apple makes absolutely the best, since they just posted record earnings, quadrupling them in fact. Did Microsoft quadruple its profits?

[antiRepublicrat]

MySQL should never have a default password for root and their install should never allow it.

The installer now does ask you for a new password. Earlier ones just defaulted to "root." Still, you're right, it shouldn't be allowed, but I think it's common practice, as MSSQL does it too.