MySQL Forums
Forum List  »  Announcements

MySQL Security Alert 2005-01-27
Posted by: Arjen Lentz
Date: January 27, 2005 08:54PM

There is a bot active on the internet that is infecting Windows machines
running MySQL Server:
http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd45444a570b

An alert with background information is already available on:
http://dev.mysql.com/tech-resources/articles/security_alert.html

The following message contains practical information about how to
protect your system.


1. What is the UDF Worm?
The UDF Worm is self-propagating code that is finding MySQL servers
running on Microsoft Windows with poor firewall and password security.

This worm does not exploit any bugs in MySQL. It does exploit poor
security setups for firewalls and passwords.

This worm is Microsoft Windows specific, however firewall and password
security is important on any platform.


2. What is a User Defined Function (UDF)?
A User Defined Function, often referred to as a UDF, is a part of the
ANSI SQL-99 specification. This feature allows developers to create
custom functions. It is a common feature among the major database
products.


3. What does the UDF Worm do?
The UDF Worm looks for MySQL servers running on Microsoft Windows that
have been exposed to the internet and have either weak or no passwords
installed on the account named "root". Once it finds an account it
installs a UDF, and then uses that machine to scan for other machines
that can possibly be infected.


4. How do I know if my MySQL installation has been infected?
Run the following SQL statement: SELECT * FROM mysql.func;

If a UDF is found with a name of "app_result" then you have probably
been infected with the worm.

You should look at all UDFs and determine whether or not they are
legitimate. The worm is likely to mutate over time and will take on
different UDF names.

You may be able to remove this UDF by running the following SQL
statement: DROP FUNCTION app_result;
Please note however that this does not not remove the worm itself once
your system has been infected. See the next section for further details.


5. How do I disinfect my system?

As the worm is of a known family called "WootBot" or "SpyBot", most
virus scanners will pick up the executable with their existing
signature files and alert you.
F-Secure provides additional information on this type of "bot" as well
as tools for removing it:
http://www.f-secure.com/v-descs/wootbot.shtml

To prevent any unauthorized person or program from connecting to your
database you should verify that all of your current accounts have
passwords and that they are strong passwords (i.e. not easily
guess-able). Remember to always use firewalls and strong passwords to
protect your MySQL Servers.

Please consult your security advisors for the best way to protect your
systems.


6. How do I protect my MySQL Servers on Microsoft Windows?
There are 2 basic steps to protect your MySQL Servers:

1. Always use strong passwords on all accounts.
2. Use firewalls to protect your MySQL Servers.

The Windows installation procedure in MySQL 4.1 and up takes additional
steps to ensure that users create a secure setup.

For information about securing your root account on an existing
installation, see
http://dev.mysql.com/doc/mysql/en/default-privileges.html and
http://dev.mysql.com/doc/mysql/en/security-against-attack.html.

Specifically, ensure that the root account has a STRONG password that
cannot be easily guessed.

Also, remove the root@'%' account from the grant tables. Connect to the
MySQL server as root, the following example uses the 'mysql' command
line client. Search for "mysql.exe" in on your hard drive, and Run this
program with the parameters "-u root -p".

Enter password: *****
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.9-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> DELETE FROM mysql.user WHERE host = '%' AND user = 'root';
Query OK, 1 row affected (0.03 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.05 sec)

mysql> quit

This will prevent root logins from other machines.

If you don't require any access to the database server from other
machines, you can even disable networking completely by using the
skip-networking option in your configuration file and restarting the
server. You can also use MySQL Administrator to edit your MySQL
configuration. Local connections are handled via named pipes on an NT
based system (Windows NT4, 2000, XP, 2003).


7. Is this a vulnerability on Microsoft Windows, Linux, or Unix?
This worm is Microsoft Windows specific, however firewall and password
security is important on any platform.

If your server is behind a firewall, and you have a strong root password
you are not vulnerable to this worm. If not, take the necesscary steps
now to protect your system.

Learn more about strong passwords and firewall setups for Microsoft
Windows here:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_password_tips.mspx

http://www.microsoft.com/athome/security/protect/firewall.mspx


8. What is MySQL AB doing about this?

MySQL takes security very seriously and continually seeks to further
improve the intrinsic and default security of the MySQL software, to
protect users regardless of their experience or configuration choices.

In addition, we are working on a set of proactive services to help alert
you to bugs, security issues and new features.

Naturally we will also continue to educate our users about security (strong
passwords and firewalls) on all platforms.


9. Where can I report my observations?
Please report all security issues to security@mysql.com

Regards, Arjen.
--
Arjen Lentz, Exec.Director @ Open Query (http://openquery.com)
Remote expertise & maintenance for MySQL/MariaDB server environments.

Follow us at http://openquery.com/blog/ & http://twitter.com/openquery



Edited 1 time(s). Last edit at 02/15/2005 06:30AM by Arjen Lentz.

Options: ReplyQuote


Subject
Views
Written By
Posted
MySQL Security Alert 2005-01-27
4448
January 27, 2005 08:54PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.