January 27th, 2005, 06:30 PM
MySQL bot infecting servers
As reported on the Internet Storm Center site (http://isc.incidents.org) at
"bot" is traversing the Internet infecting MySQL servers installed on
Windows systems. Check out the description below:
"A "bot", exploiting vulnerable MySQL installs on Windows systems, has been
spotted. It infected a few thousand systems so far. Like typical for bots,
infected systems will connect to an IRC server. The IRC server will instruct
them to scan various /8 networks for other vulnerable mysql servers."
So if you have MySQL servers check out your firewall logs for the following
* Outbound activity to IPs: 220.127.116.11, 18.104.22.168, 22.214.171.124;
these are dynamic DNS IPs so they'll likely change with their domain names
landingzone.dynu.com, landingzone.ath.cx, dummylandingzone.ipupdater.com)
* Outbound connection attempts on port 5002 and 5003
* Look for FTP servers popping up out of nowhere - bot creates one - scan
network for these
* Scan network for 2301 and 2304 - backdoors setup by bot; there may be
January 30th, 2005, 03:09 PM
You'll find the security alert that Mysql.com issued for this worm at the address below. A word on detecting it:
4. How do I know if my MySQL installation has been infected?
Run the following SQL statement: SELECT * FROM mysql.func;
If a UDF is found with a name of "app_result" then you have been infected with the worm.
You should look at all UDFs and determine whether or not they are legitimate. The worm is likely to mutate over time and will take on different UDF names.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.