Home Private Messages Search
CPG Dragonfly™ CMS stopsoftwarepatents.eu petition banner
Toggle Content
 
Security
UNIRAS (UK Gov CERT)
Advisory Type: Alert
Id: 20050128-00078 Ref: 09/2005 Date: 28 January 2005 Time: 09:10

Abstract: The worm installs a malicious trojan executable spoolcll.exe in the System32 directory. spoolcll.exe is installed as a new service "Event Monitor".

Vendors affected: Microsoft

Operating Systems affected: Windows

Applications/Services affected: MySQL

Impact: Denial of service

Detail
======

The worm installs a malicious trojan executable spoolcll.exe in the
System32 directory. spoolcll.exe is installed as a new service "Event
Monitor".



AL-2005.002 -- AUSCERT ALERT
New worm currently exploiting MySQL on Windows
28 January 2005


Product: MySQL
Operating System: Windows
Impact: Administrator Compromise
Distributed Denial of Service
Access: Remote/Unauthenticated


SUMMARY:

AusCERT has become aware of a new worm currently exploiting MySQL on
Windows systems. The worm infects systems using an automated attack on
weak passwords for the MySQL "root" account.

MySQL administrators are encouraged to apply the mitigation steps
below as soon as possible to prevent infection.

Non-Windows MySQL systems are not targeted by this worm, but are
vulnerable to the same attack if MySQL is running as root.


IMPACT:

The worm installs a malicious trojan executable spoolcll.exe in the
System32 directory. spoolcll.exe is installed as a new service
"Event Monitor".

spoolcll.exe connects to one of several IRC servers to receive
instructions for further action. It also sets up three listening
ports which we have observed to be on UDP port 69 and TCP ports 2314
and 2311, though these ports can vary.

The trojan can be commanded to launch distributed denial of service
attacks, remotely control the infected host, scan blocks of IP
addresses and infect further vulnerable systems.

The malicious executable installed by this worm is detected by
several antivirus products as a variant of Wootbot.


MITIGATION:

o Change to a stronger password for MySQL's "root" account.

o Configure MySQL to only accept "root" account connections from the
local host.

These two steps can be implemented using the MySQL 4.1 Server
Instance Configuration Wizard. Under "Modify Security Settings",
input a strong password and also select "Root may only connect
from localhost".

o Run MySQL as an unprivileged user. This is possible under Windows
with MySQL 4.0.17 and higher, and MySQL 4.1.2 and higher.

o Block connections from the internet to MySQL by adding a firewall
rule blocking inbound traffic to port 3306.


REFERENCES:

[1] SANS Handler's Diary January 27 2005
http://isc.sans.org/diary.php?date=2005-01-27


Posted by akamu on Thursday, March 17, 2005 (00:38:39) (6255 reads)

"Worm currently exploiting MySQL on Windows" | Login/Create an Account | 2 comments
Threshold
The comments are owned by the poster. We aren't responsible for their content.

Re: Worm currently exploiting MySQL on Windows (Score: 1 )
by Nuance on Thursday, March 17, 2005 (02:17:47)
(User Info | Send a Message)
Another Window's worm-- why does this not surprise me?



Re: Worm currently exploiting MySQL on Windows (Score: 1 )
by Jeruvy on Monday, April 11, 2005 (13:45:29)
(User Info | Send a Message)
Note: The infector (worm) is detected as "WOOTBOT". This is a know rootkit infector.

From Trend Micro:

This is Trend Micro's generic detection for unknown forms of the WOOTBOT worms.

To propagate, WOOTBOT worms are known to exploit the LSASS vulnerability present on Windows systems. The said vulnerability is a buffer overrun vulnerability that allows remote code execution, present on Windows systems. Once this vulnerability is successfully exploited, a malicious user is able to gain full control over the target system.



 
   Toggle Content Related Links
 More about Security
Most read story about Security:
security hole recently found in AWStats

   Toggle Content Article Rating
Average Score: 0
Votes: 0
Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad

   Toggle Content Options

 Printer Friendly Page  Printer Friendly Page

   Toggle Content User Info

Welcome Anonymous
Nickname
Password
(Register)

   Toggle Content Last CVS commits
· Fixed .ico Expires header.
· Removed domain name from cookies so subdomains wont access them anymore.
· CSS and JS, case insensitives.
· CSS and JS, send correct HTTP 1.1 headers and fixed issues where themes and...
· Further security class improvements.
· 301 redirects on LEO changes
· Option to force 3xx http status codes
· Validate googlebot.com and google.com crawlers.
· CCBot
· Rss with etag and atom.

devamı...

   Toggle Content Community

Support for DragonflyCMS in a other languages:

Deutsch
Español

   Toggle Content X-links
UltraEdit Browse Happy logo Firefox MySQL PostgreSQL Valid CSS! Valid XHTML 1.0! Unicode Encoded Badge NukeBiz Resources Raven DragonflyCMS Dedicated Now InsideSupport Lampe Berger

You are seeing squares or questionmarks on this page?

All content of this website is copyrighted by the Creative Commons NC-SA
The logos and trademarks used on this site are the property of their respective owners
We are not responsible for comments posted by our users, as they are the property of the poster.
Our server runs on a P3 1.2GHz with 512MB RAM with no accelerators
Support GoPHP5.org
Interactive software released under GNU GPL, Code Credits, Privacy Policy