Malicious Bot Targets MySQL Databases With Weak Passwords
A malicious bot program is breaking into poorly-secured MySQL databases running on Windows web servers, and appears to have compromised several thousand systems. The malware is using a brute force password attack to gain access to MySQL installations with weak administrative (root) passwords, according to an analysis by the Internet Storm Center.
Once the bot has gained access to MySQL, it uses the MySQL UDF Dynamic Library Exploit to upload malicious code to the infected system and then connects to an IRC channel. Once incorporated into the bot network, the "zombie" machines attempt to infect other servers, but could easily be used for other purposes.
The bot being used is a version of widely used malware controller known as Wootbot or Forbot. "It appears to include the usual set of bot features like a DDOS engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such)," according to the SANS analysis. "The bot provides an FTP server, and backdoors."
MySQL is the leading open source database, and is widely used in web applications written in the PHP server-side scripting language. MySQL is present in more than 5 million installations, and is a key ingredient in popular "LAMP" hosting plans, which feature the Linux operating system, Apache server, MySQL database and scripting in PHP, Perl or Python. MySQL is also available for Unix and Windows as well, but only Windows machines are known to have been exploited thus far.
//Netcraft
// Comments: Yasir
Something that is a little worrying for all our open source fans out there...
Well, for all those who have a shared hosting plan, please ask your web host to check their MySQL root passwords... and for those who rule their servers life, its ok to have root with a blank password as long as the 'host' is not set to '%' for login:root! Might as well rename root to something else?
I checked my servers... seems everything is ok, however the bots are generating a plenty of garbage traffic, there might be Denial of Services (DOS) on some MySQL databases globally... lets follow this and see where it takes us...
Once the bot has gained access to MySQL, it uses the MySQL UDF Dynamic Library Exploit to upload malicious code to the infected system and then connects to an IRC channel. Once incorporated into the bot network, the "zombie" machines attempt to infect other servers, but could easily be used for other purposes.
The bot being used is a version of widely used malware controller known as Wootbot or Forbot. "It appears to include the usual set of bot features like a DDOS engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such)," according to the SANS analysis. "The bot provides an FTP server, and backdoors."
MySQL is the leading open source database, and is widely used in web applications written in the PHP server-side scripting language. MySQL is present in more than 5 million installations, and is a key ingredient in popular "LAMP" hosting plans, which feature the Linux operating system, Apache server, MySQL database and scripting in PHP, Perl or Python. MySQL is also available for Unix and Windows as well, but only Windows machines are known to have been exploited thus far.
//Netcraft
// Comments: Yasir
Something that is a little worrying for all our open source fans out there...
Well, for all those who have a shared hosting plan, please ask your web host to check their MySQL root passwords... and for those who rule their servers life, its ok to have root with a blank password as long as the 'host' is not set to '%' for login:root! Might as well rename root to something else?
I checked my servers... seems everything is ok, however the bots are generating a plenty of garbage traffic, there might be Denial of Services (DOS) on some MySQL databases globally... lets follow this and see where it takes us...
posted by yasirmemon at 1/29/2005 09:43:00 PM
0 Comments:
Post a Comment
<< Home