Weak Passwords Leave Win MySQL Vulnerable

The Windows version of popular open source database MySQL is apparently under attack by a malicious bot , according to an advisory issued Thursday by the SANS Internet Storm Center (ISC).

The SANS-ISC advisory also said the binary file that carries the bot is detectable via most updated anti-virus scanners and that strong password policies would also help thwart any intrusion attempts.

The bot has been identified as a version of ‘Wootbot’ and takes advantage of the previously disclosed “MySQL UDF Dynamic Library Exploit” in an attempt to infect a MySQL server, according to the ISC.

However, in order to actually infect the server and launch the exploit, the bot must first break the root level password on the server. In order to do that, the bot will execute what is known as a brute force attack with a list of passwords in order to crack the root password. The SANS-ISC advisory noted that the fundamental weakness the bot scans for is a weak root account, as opposed to any vulnerability in MySQL.

The first item that SANS-ISC lists for mitigation of this attack is the selection of a “strong password.” The center also recommended security measures that are considered fundamental, such as restricting root account access to certain hosts, as well as applying proper firewall rules that restrict access to only hosts that require access to the database.

The bot attempted to first gain access and crack the root password via an open port 3306 on a Window MySQL server; SANS-ISC recommend blocking access to that port in order to prevent a potential attack.

If the bot is able to crack the root level password on the windows MySQL servers, it will place a one field (called BLOB), one table entry (called BLA) in the default “mysql” database. An executable file could then be written into the table, which ultimately results in the bot actually being loaded and run.

Once the bot is running on the Windows MySQL server via a cracked root password, it then connects to one of eight IRC servers in the hunt for further instructions, while seeking out bots that have infected other MySQL servers, ISC said.

According to the SANS-ISC advisory the bot includes “the usual set of bot features like a Distributed Denial of Service DDos engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such). The bot provides an FTP server, and backdoors, the ISC noted.

In addition to suggesting the application of proper firewall rules and strong passwords in order to prevent the bot from exploiting MySQL, the SANS-ISC advisory also said the binary file that carries the bot is detectable via most updated anti-virus scanners.

News Around the Web