A new Windows only worm has appeared, and this one uses weak installations of the MySQL database server on Windows running machines. The worm uses a list of 1000 passwords to try and get admin user in MySQL, and if it does, it uses a known exploit to install malicious code onto the server. The “owned” machine will then join an IRC server and await instructions. (apparently the current instructions are to look for other machines to infect, but that could change.) The name of the worm is Forbot, and you can read about it further here.

So folks, if you are silly enough to have a Windows server running MySQL, and that copy of MySQL is not locked down to disallow remote root access, and there is no decent password, (a good password is at least 8 characters, and a mix of letters, numbers and symbols), then now is a good time to scan your system for the exploit. There is no reason to allow remote root access over the net. In fact I go further then that and locked all our users down to all localhost or local network connections only. (We are running Linux servers, so this isn’t applicable anyway, but tight settings are a good basis for any server. ) It seems to me that the main issue that leads to such compromises is people not considering the security implications of a specific action. The best way to set up security, is to lock the machine up totally, so it cannot do anything, and then lower that step by step till you can achieve only exactly what you need.

This article was posted on Friday, January 28th, 2005 at 3:00 am