NYCPHP Meetup

[nycphp-talk] [OT] mySql targeted by worm

inforequest 1j0lkq002 at sneakemail.com
Fri Jan 28 13:39:45 EST 2005


In case it hasn't been mentioned:

mysql on windows targeted by worm:

http://isc.sans.org/diary.php?date=2005-01-27&isc=811c8d08470e11fdb8efdabfe5bee079


quoted:

A "bot", exploiting vulnerable MySQL installs on Windows systems, has 
been spotted. It infected a few thousand systems so far. Like typical 
for bots, infected systems will connect to an IRC server. The IRC server 
will instruct them to scan various /8 networks for other vulnerable 
mysql servers.

*Infection Method*

The bot uses the "MySQL UDF Dynamic Library Exploit". In order to launch 
the exploit, the bot first has to authenticate to mysql as 'root' user. 
A long list of passwords is included with the bot, and the bot will 
brute force the password.

Once connected, the bot will create a table called 'bla' using the 
database 'mysql'. The 'mysql' database is typically used to store 
administrative information like passwords, and is part of every mysql 
install. The only field in this database is a BLOB named 'line'.

Once the table is created, the executable is written into the table 
using an insert statement. Then, the content of is written to a file 
called 'app_result.dll' using 'select * from bla into dumpfile 
"app_result.dll"'. The 'bla' table is dropped once the file is created.

In order to execute the 'app_result.dll', the bot creates a mysql 
function called 'app_result' which uses the 'app_result.dll' file saved 
earlier. This function is executed, and as a result the bot is loaded 
and run.

*Post Infection Behavior*

The bot will now try to connect to one out of a number of IRC servers:
dummylandingzone.hn.org -> 212.105.105.214

this have been disabled by respective dynamic dns providers(thanks!!):
landingzone.ath.cx -> 212.105.105.214
dummylandingzone.dyndns.org -> no such name
landingzone.dynamic-ip.us -> was: 212.105.105.214
dummylandingzone.dns2go.com -> 63.64.164.91 and 63.149.6.91
dummylandingzone.hn.org -> 212.105.105.214
dummylandingzone.dynu.com -> 212.105.105.214
zmoker.dns2go.com -> 63.64.164.91
landingzone.dynu.com -> was: 212.105.105.214
dummylandingzone.ipupdater.com -> 212.105.105.214

The bot will connect to the IRC server on port 5002 or 5003. At this 
point, the IRC servers appear busy and unable to accept new connections. 
Note that dynamic DNS services are used. The IP addresses will likely 
change. Last time we where able to connect, about 8,500 hosts where 
connected to the IRC server.

The bot will connect to a channel called '#rampenstampen' using the key 
'gratisporn'. The topic of the channel is set to '!adv.start mysql 80 10 
0 132.x.x.x -a -r -s'. This will instruct the bot to scan random ips in 
'132.0.0.0/8' for mysql server. Throughout our observation, the topic 
was changed regularly. To be scanned networks included 10.0.0.0/8, 
likely an attempt to infect other mysql servers within a local network 
that is otherwise protected by a firewall.

So far, the bot has been identified as a version of 'Wootbot'. It 
appears to include the usual set of bot features like a DDOS engine, 
various scanners, commands to solicit information from infected systems 
(e.g. system stats, software registration keys and such). The bot 
provides an FTP server, and a backdoors (details later. Appears to be 
listening on port 2301/tcp and 2304/tcp, maybe other ports).





More information about the talk mailing list