I am now going to quote the advisory:
-------------------------------------------------- Infection Method
The bot uses the "MySQL UDF Dynamic Library Exploit". In order to launch the exploit, the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password.
Once connected, the bot will create a table called 'bla' using the database 'mysql'. The 'mysql' database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named 'line'.
Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called 'app_result.dll' using 'select * from bla into dumpfile "app_result.dll"'. The 'bla' table is dropped once the file is created.
In order to execute the 'app_result.dll', the bot creates a mysql function called 'app_result' which uses the 'app_result.dll' file saved earlier. This function is executed, and as a result the bot is loaded and run.
------------------------------------------------------
This bot will then attempt to infect other machines.
MySQL installations are at risk if proper security practices have not been followed.
You need to act now to secure your Windows MySQL installation from this bot and help prevent the spread of the worm. The steps are very simple:
1. Firewall port 3306 from outside access. No MySQL servers should ever be exposed directly to the internet. If you do not have a firewall, look at the various free software firewalls available.
2. Secure your root account. See http://dev.mysql.com/doc/mysql/en/default-privileges.html and http://dev.mysql.com/doc/mysql/en/security-against-attack.html.
Specifically, ensure that the root account has a STRONG password that cannot be easily guessed, and remove the [EMAIL PROTECTED] account from the grant tables:
Enter password: *****
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.9-nt
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> use mysql;
Database changedmysql> DELETE FROM user WHERE host = '%' AND user = 'root';
Query OK, 1 row affected (0.03 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.05 sec)
mysql>
This will prevent logins from external machines.3. Disable networking. If feasible, remove network access to MySQL completely by using the skip-networking option in your configuration file and restarting the server. You can still connect via named pipes on an NT based system.
If your server is behind a firewall, and you have a strong root password you are not vulnerible to this worm. If not, take the necesscary steps now to ensure that your system is not infected.
-- Mike Hillyer, Technical Writer MySQL AB, www.mysql.com Office: +1 403-380-6535 Mobile: +1 403-330-0870
MySQL User Conference (Santa Clara CA, 18-21 April 2005) Early registration until February 28: www.mysqluc.com
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
