Results 1 to 2 of 2

Thread: MySQL bot infecting servers

  1. #1

    MySQL bot infecting servers

    As reported on the Internet Storm Center site ( at
    "bot" is traversing the Internet infecting MySQL servers installed on
    Windows systems. Check out the description below:

    "A "bot", exploiting vulnerable MySQL installs on Windows systems, has been
    spotted. It infected a few thousand systems so far. Like typical for bots,
    infected systems will connect to an IRC server. The IRC server will instruct
    them to scan various /8 networks for other vulnerable mysql servers."

    So if you have MySQL servers check out your firewall logs for the following

    * Outbound activity to IPs:,,;
    these are dynamic DNS IPs so they'll likely change with their domain names

    * Outbound connection attempts on port 5002 and 5003

    * Look for FTP servers popping up out of nowhere - bot creates one - scan
    network for these

    * Scan network for 2301 and 2304 - backdoors setup by bot; there may be
    other ports

  2. #2
    Hi mom!
    Join Date
    Aug 2001
    You'll find the security alert that issued for this worm at the address below. A word on detecting it:

    4. How do I know if my MySQL installation has been infected?

    Run the following SQL statement: SELECT * FROM mysql.func;

    If a UDF is found with a name of "app_result" then you have been infected with the worm.

    You should look at all UDFs and determine whether or not they are legitimate. The worm is likely to mutate over time and will take on different UDF names.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts