Its baffling that so many database administrators or casual non-DBA downloaders were responsible for leaving weak or default passwords on MySQL databases and thus allowing the MySpooler bot attack against Windows installations of MySQL, which last week peaked at an infection rate of 100 machines per minute.
Johannes Ullrich, chief technology officer at the SANS Internet Storm Center, told eWEEK.com reporter Ryan Naraine that, in order to launch the exploit, the bot first had to authenticate to "mysql" as "root" user. Once authenticated, brute-force attacks were launched using a list of passwords included with the bot.
The hijacked databases were thus strung together in a network of MySQL Windows installations that was up to no good, as MySpooler opened three listening ports on target machines and dropped in random, eight-character file names.
MySpooler also inserted a backdoor through which to access the machine and deliver payload, Naraine reported. And MySpooler also included a DDoS engine, scanners, and commands to solicit information such as system stats and software registration keys.
In other words, MySpooler was an evil little bugger. But what really kills me is this quote from Ullrich: "This bot does not use any vulnerability in MySQL. The fundamental weakness it uses is a weak root account," he said.
Weak or default passwords? Weak root accounts? Arent we beyond that? After all, whether youre talking databases or networks or general host operating systems, the process for dealing with weak passwords is well understood.
Vulnerability scanning has been around for years, with smart system administrators scanning routers and general-purpose operating systems such as Windows and Unix.
Really savvy enterprises have hooked up with tools to scan databases as well, tools from Application Security or Internet Security Systems or the like, although databases, regrettably, still lag in getting the level of vulnerability scanning to which their network component brethren have been rightly subjected.