MySQL windows Warning
Posted: Thu Jan 27, 2005 12:29 pm
There is a MySQL port Scan and exploit happening please be careful.
To see if you have been infected look for spoolcll.exe.
This is a bot, and it uses weak root passwords to gain entry to MySQL. From there, it loads a BLOB in a table with a payload DLL, which it then writes to disk and loads as a MySQL UDF. The UDF is called, which creates the bot and the system is compromised.
Damage appears to be low as it is more spyware than anything, and you are only at risk if you A) Have not firewalled the MySQL Port, B) Have a root account that is allowed to login from anywhere, not just localhost, and C) Have a weak root password.
So, the fix is this:
A) Firewall port 3306
B) Remove the root@% account, only allow root@localhost
C) Set a strong password
More info at http://www.openwin.org/mike/index.php/a ... %20-loose/
Link to the Slashdot article on this.
http://it.slashdot.org/it/05/01/27/1546 ... 172&tid=95
To see if you have been infected look for spoolcll.exe.
This is a bot, and it uses weak root passwords to gain entry to MySQL. From there, it loads a BLOB in a table with a payload DLL, which it then writes to disk and loads as a MySQL UDF. The UDF is called, which creates the bot and the system is compromised.
Damage appears to be low as it is more spyware than anything, and you are only at risk if you A) Have not firewalled the MySQL Port, B) Have a root account that is allowed to login from anywhere, not just localhost, and C) Have a weak root password.
So, the fix is this:
A) Firewall port 3306
B) Remove the root@% account, only allow root@localhost
C) Set a strong password
More info at http://www.openwin.org/mike/index.php/a ... %20-loose/
Link to the Slashdot article on this.
http://it.slashdot.org/it/05/01/27/1546 ... 172&tid=95