Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Links Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
Database Tools
SQL Scripts & Samples
Links
» Database Forum
» Sitemap
Free Newsletters:
DatabaseDaily  
News Via RSS Feed


follow us on Twitter
Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

Database News

Posted Jan 28, 2005

Forbot Worm Variant Exploits Vulnerable Installations of MySQL

By Linda Cole

Security experts are tracking a new variant of the Forbot Worm. Forbot, also known as W32/Forbot-DY, UDF, Wootbot, and MySpooler worm was first reported on the Whirlpool Forums on January 26, by a developer who notice an unknown application, spoolcll.exe, trying to open a port.

According to MySQL, the UDF worm is self-propagating code that finds MySQL Servers running on Windows with poor firewall and password security. The worm does not exploit any bugs in MySQL but does exploit poor security setups for firewalls and passwords. Johannes Ullrich, in a report posted on SANS on January 27 stated, "The bot uses the "MySQL UDF Dynamic Library Exploit." In order to launch the exploit, the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password."

The bot creates a table in the mysql database, writing an executable into the table. The content is then written to a file, "app_result.dll," and the table is dropped. The bot then creates a function called "app_result" in order to execute the .dll file. When the function is executed, the bot is loaded and run and attempts to connect to one of a number of IRC servers on port 5002 or 5003.

MySQL offers two basic steps to protect your MySQL servers:

  1. Always use strong passwords on all accounts.
  2. Use firewalls to protect your MySQL Servers.

SANS also recommends blocking port 3306 on firewalls.

If your system has already been compromised, see this article from Microsoft.



Database News Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 




Latest Forum Threads
Database News Forum
Topic By Replies Updated
Efficient SQL Server Indexing by Design lcole 0 April 30th, 12:38 PM
Mine Oracle Database, SQL Server and Other Databases with Monarch Data Pump Pro V10.5 lcole 0 April 30th, 12:37 PM
Oracle Database and Oracle Fusion Middleware for Private Social Network Application lcole 0 April 30th, 12:31 PM
Oracle Database Maintains a Stronghold in the DBMS Market lcole 0 April 30th, 12:30 PM


















Thanks for your registration, follow us on our social networks to keep up-to-date