Help
New MySQL Internet Worm - Spoolcll.exe
http://isc.sans.org//diary.php?date=2005-01-26
http://forums.whirlpool.net.au/forum-repli...fm?t=291921&p=3
We have reports about a possible MySQL worm. Right now, it appears to be hunting for Windows systems running MySQL. We have no deteails so far, and would creatly appreciate input (in particular code samples). We do observe a significant rise in port 3306 scanning, which is likely caused by infected systems. The worm creates a file called 'Spoolcll.exe' and has so far been named 'MySpooler'.
You should not expose any MySQL servers to unsolicitated connections. If you run MySQL, make sure you block port 3306. MySQL can run without networking enabled, as long as you only connect to it from the local host (e.g. if a web server and mysql run on the same system, which is common for small website). In order to turn off networking, start mysql with the --skip-networking option. You will however need networking if you use replication.
Page 1 of 1
New MySQL Internet Worm - Spoolcll.exe Lock down port 3306
#1
- Security Reporter
-
- Group: Members
- Posts: 509
- Joined: 10-April 04
- Gender:Male
- Location:Roanoke, Virginia
Posted 27 January 2005 - 06:29 AM
Back to top
#2
- Bleepin' Conundrum
-
- Group: Staff Emeritus
- Posts: 19,461
- Joined: 26-April 04
- Gender:Male
- Location:65 miles due East of the "Logic Free Zone", in Md, USA
Posted 30 January 2005 - 01:40 PM
Follow-up Information
Read complete article here
Quote
MySQL worm halted
Published: January 28, 2005, 1:40 PM PST
By Robert Lemos
Staff Writer, CNET News.com
A worm exploiting weak database passwords on Windows computers had essentially stopped spreading on Friday, after the systems infected with the program were cut off from the control of several central computers.
More than 8,000 Windows computers running the MySQL database were probably infected with the worm program, referred to as the MySQL bot worm or by the name of the executable file, SpoolCLL, that the worm installs on vulnerable machines.
Published: January 28, 2005, 1:40 PM PST
By Robert Lemos
Staff Writer, CNET News.com
A worm exploiting weak database passwords on Windows computers had essentially stopped spreading on Friday, after the systems infected with the program were cut off from the control of several central computers.
More than 8,000 Windows computers running the MySQL database were probably infected with the worm program, referred to as the MySQL bot worm or by the name of the executable file, SpoolCLL, that the worm installs on vulnerable machines.
Read complete article here
The only easy day was yesterday.
...some do, some don't; some will, some won't (WR)
...some do, some don't; some will, some won't (WR)
Share this topic:
Page 1 of 1