Home > Databases > MySQL Worm Hits Windows Systems MySQL Worm Hits Windows Systems Adam Scheinberg 2005-01-28 Databases 32 Comments “A worm that takes advantage of administrators’ poor password choices has started spreading among database systems.” Read more at ZDNet. About The Author Adam Scheinberg Vice President, Information Technology at Massey Services, Inc • President, Board Member, The Mockingbird Foundation • All Things Web, Umphrey’s McGee • Web Developer • Father • Foodie • Music Snob • OS enthusiast Follow me on Twitter @sethadam1 32 Comments 2005-01-28 3:22 pm I’ve been following this quite a bit (we have several mysql servers, though, mostly on Solaris), and I noticed an interesting trend. 90% of the posts I’ve seen about this are in the area of “See, MySQL is flawed! Run XXX”, where XXX is the database of choice of the poster. Just take a moment and read about the problem. It is low quality passwords or no. This, like many security problems, goes back to lazy/incompetent systems administrator/computer owner, not a flaw in software. It would be the same as blaming Linux for a flaw because the owner of the system used a blank password for root. Software is not perfect, and system admins/owners need to understand this and make every effort to secure their systems. A poor systems admin is a poor systems admin, no matter what OS or software they are running. My cent and a half, for what it’s worth. 2005-01-28 3:40 pm True, and I’ll admit I know nothing about SQL, but the Linux distros I’ve run won’t allow a blank root password, or even blank user passwords. They sometimes don’t allow root passwords in all lowercase or without numbers, and even if they do allow them, they warn you that it’s dangerous. Windows servers may do that too because like I said, I don’t use them. I do think nearly all computer problems should be blamed on people. In fact all should be. People wrote them, built them, use them, wrote viruses, spread viruses. Without us, there’d be no problems, no solutions either! 2005-01-28 3:42 pm What can I say… security can be a joke so often =). No matter the software, an idiot behind the controls and completely screws up 2005-01-28 4:51 pm The worm does a dictionary attack. One thing that system administrators do is stuff like (this is from a company I once worked at): P455w0rd They then say it’s strong. Or they might do P4$5w0rd, etc. In any event, the hackers are familiar with this tactic, and check these. It’s fairly easy to try 133t variants as well as dictionary words, as there are programs now for this purpose. There’s a bigger problem here, though. MySQL should be running in a separate Zone (solaris), VM (oses that support VMs) or on a separate physical box from the web server. It is inappropriate for the MySQL box to have access to the public internet — regardless of the OS that you’re running. Ideally, the MySQL — or any other database box — establishes outbound SSH connections to the web server, via a separate physical or virtual box using a fire wall. The goal here is to make the hacker have to compromise 3 boxes, instead of one. Also, any program — any — that is going to load a plug in needs to support digital signatures. Sorry for saying it, but the fact I’ve provided a user name and password for root isn’t sufficient to validate that the file(s) that I’m giving are authorized to run. 2005-01-28 5:05 pm Oh My! Slammer MkII and it targets GPL software. (3 years after MS fixed their database server!) Thank God MS released XPSP2 and its outbound TCP limit, preventing badly written third party software from opening too many outbound connections and limiting the effect of this sort of worm. 2005-01-28 5:07 pm Is MS XP with Service Pack 2 even suitable as a server of any kind? Maybe you meant Windows Server 2003? I would hardly consider their “Setup a Home Network” a server management tool. 2005-01-28 5:12 pm This is what I do for most of my passwords (mind you this is for my home desktop), but I thought this was a pretty good idea? I mean you can still break… but you can bruteforce just amount anything, and this way you make the dictionary at least 20 times as large. I mean how many 1337 ways are there too spell b00L377!m3 (ie “bullet time”)? Isn’t that a good password? This is an actual question… and no I don’t iuse that one particularily, just an example. 2005-01-28 5:12 pm I’d hardly count MySQL as a server management tool. XPSP2 could be counted as a server, just as all the boxes running XP and MSDE vulnerable to Slammer could. 2005-01-28 5:38 pm I think the suggestion was that an OS with limited connectivity would be an odd choice as a server; and really, why would you run a publically accessible database server on XPSP2? And MySQL isn’t a server management tool in any way; I think you misunderstood the point of that. 2005-01-28 5:52 pm You’d run a database on XPSP2 to serve a limited clientele, Phil. (That’s what MSDE is for after all) Of course you could run MySQL on Linux, but you’d open yourself up to worms such as this one, as open source systems haven’t been subjected to the similar vulnerabilities and consequently don’t have similar defences. 2005-01-28 5:55 pm Robert Hensing (who works on one of the security teams in PSS at MS) his this to say about passwords (or phrases in this case): http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx An excellent post IMO. 2005-01-28 6:04 pm “And MySQL isn’t a server management tool in any way; I think you misunderstood the point of that.” You’re entirely agreeing with me. Another poster brought up ‘server management tools’ and said MySQL wasn’t one. To complete the argument if ‘Setup a Home Network’ is the only XPSP2 management tool d has come across it’s obvious he’s not looking. Many XPSP2 tools are more ideally suited to server management than their open source counterparts. 2005-01-28 6:08 pm > You’d run a database on XPSP2 to serve a limited clientele, Phil. (That’s what MSDE is for after all) Of course you could run MySQL on Linux, but you’d open yourself up to worms such as this one, as open source systems haven’t been subjected to the similar vulnerabilities and consequently don’t have similar defences. so, you want to say, that there are now ways to restrict the number and type of clients / transfered data… on linux? *lol* 2005-01-28 6:12 pm I agree with your comments about the passwords. Again, this goes back to unknowing or uncaring system admins/owners. I’d wager a majority of security issues can be resolved down to this issue. The idea of separating the boxes/services is something that should be a given for a corporation. The less services offered on a single box, the easier it is to secure said box. I think this is more of an issue with home users or casual users though. In this case, a majority of the people I’ve seen posting were using MySQL on their desktop, usually taking advantage of Apache/PHP combo to run some OSS applications. They set weak passwords (or let the installer set weak passwords) and didn’t think twice about it. So, the idea of setting up a different server for different pieces isn’t going to work well for them. Not everyone has a few dozen boxes around the house. As for Anonymous’s comment about the root passwords, I was just using that as a metaphor, not a practical example of this problem with Linux. Currently it’s true that most major lables force a password for root, it can be circumvented. And, a password requirement doesn’t always mean a requirement for a GOOD password. 2005-01-28 6:17 pm Of course you could run MySQL on Linux, but you’d open yourself up to worms such as this one This worm only targets MySQL running on MS Windows. 2005-01-28 6:23 pm “This worm only targets MySQL running on MS Windows” ‘targets’ being the operative word. Same code base. Almost certainly the same vulnerability if someone decides to target it. One might legitimately wonder if the recent worm affecting phpBB might have received more attention if it affected a vulnerability in Sharepoint Team Services instead. 2005-01-28 6:27 pm “This worm only targets MySQL running on MS Windows” And, equally, XPSP2 has a significant mitigating affect (limiting outbound connections) – one that wouldn’t have slowed this worm if the author decided to target Linux instead. 2005-01-28 6:28 pm ‘targets’ being the operative word. Same code base. Almost certainly the same vulnerability if someone decides to target it. That’s an hypothesis, I don’t think it’s that simple however. Consider the fact that there are lots of Linux servers running MySQL out there, so the “popularity” argument (rather weak in and of itself) cannot be applied here. I’ll reserve my judgement on this until it is confirmed that the vulnerability can only affect the MySQL/Windows combination, and you probably should do the same. Otherwise it might seem as if you’re trying to start a Linux vs. Windows flamewar, and I think we have enough of those on this site already. 2005-01-28 6:30 pm Moreover, the MySQL database is much more commonly installed alongside open-source operating systems, such as Linux. That means only a small fraction of computers connected to the Internet could be compromised by the MySQL bot. It seems to me that, following the “popularity” argument, the worm would have surfaced for Linux first. It may very well be that the flaw only affects the MySQL/Windows combination. 2005-01-28 7:11 pm Windows XP as a server: http://www.microsoft.com/windowsxp/using/networking/expert/honeycut… Oh I see… THERE ARE MORE TOOLS for Xp. I forgot about “shared files / folders” and printer sharing and remote desktop. Why would ANYONE use Xp as a server OS? If you have the responsibility of setting up and maintaing a server why wouldn’t you use more appropriate tools and OS? Win2003 server and even windows 2000 server are better (as servers) wasn’t the whole point of Win 2003 to be the server for Win Xp desktop / workstations? 2005-01-28 7:14 pm I actually like XP a like for its ease of use and fantastic hardware detection (from ISA boards to AGP 8x.) I also like screwdrivers, they’re great for adding or removing various types of screws. If I needed a server I would not choose XP. When I need to insert nails into wood, I do not use my screwdriver to bang them in till they fit. The result is sloppy as I’m using a product in a role that it was not intended for. d 2005-01-28 7:17 pm A server management tool does not have to have a GUI, buttons, widgets, etc. A steering wheel of a car is just that. Putting pink fuzzy grips on it does not make it better. 2005-01-28 7:24 pm Some people including the guys at MySQL AB says that this is not a bug, and that users should have stronger passwords. However, I really think that MySQL could do more to improve security. The problem is that the database shouldn’t allow you to try more than a few passwords. If you fail to authenticate the first time you should have to wait 1 second, do you fail twice you wait 10 seconds, do you fail a third time you will have to wait 100 seconds before you are allowed to try again. Such exponential scheme makes it next to impossible to guess a resonably strong password. 2005-01-28 7:25 pm I just want to say here that I applaud Postgres’ team for making their default install more secure. Postgres refuses to be run as root (on Unix)/Administrator (on Windows). The Windows installer forces us to choose password for superuser account as well as the Postgres local Windows account. And TCP socket is disabled by default. Maybe MySQL should be taking more steps to making its software more secure and properly designed instead of just being “easy”. 2005-01-28 8:06 pm when they take admin error and turn it into the program’s fault. This article’s headline should read “If you were dumb enough to not keep your root account secure then you’re gonna get what’s coming to you.” You are in control of ‘your’ own root account in MySQL and it is ‘your’ responsibility to manage it…Duh! 2005-01-28 8:54 pm Additional “nuisance” safeguards are always a good idea. Requiring the use of letters + numbers for passwords is good start. Preventing people from using derivative passwords is another (ie, Password1, password2, switched back and forth every month.) Expiration dates + warnings are great for passwords (except when someone goes on disability.) It would be nice if there was a tool available which would rate the strength of your passwords against a dictionary attack & brute force attack, say it gives you a safety percentage. Any password with a safety percentage below some threshold will be rejected, prompting the user for a more secure one. Annoying yes, but what is annoying for your 10 second login time is a show stopper for worms. 2005-01-28 8:56 pm Here’s the link to the actual Sans report, that the ZDNet article is based on: http://isc.sans.org//diary.php?date=2005-01-27 Highlights: 1: “This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week ‘root’ account.” 2: ” The bot uses the “MySQL UDF Dynamic Library Exploit”. In order to launch the exploit, the bot first has to authenticate to mysql as ‘root’ user. A long list of passwords is included with the bot, and the bot will brute force the password. “Once connected, the bot will create a table called ‘bla’ using the database ‘mysql’. The ‘mysql’ database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named ‘line’. “Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called ‘app_result.dll’ using ‘select * from bla into dumpfile “app_result.dll”‘. The ‘bla’ table is dropped once the file is created. “In order to execute the ‘app_result.dll’, the bot creates a mysql function called ‘app_result’ which uses the ‘app_result.dll’ file saved earlier. This function is executed, and as a result the bot is loaded and run. ” Unless I am mistaken .dll files are specific to MS Windows operating systems, thus, apparently, the reason this affects only Windows systems. 2005-01-28 9:12 pm Before you all jump on this saying “ah ha, it could easily happen to Linux/FOSS zealots too!”, read carefully. “The worm gets initial access to a database machine by guessing the password of the system administrator, using common passwords.” Ah ha, user fault right there. This is just some bot, no fancy worm. Use multi character/number/puncuation/capitalization passwords for your critical servers. 2005-01-28 9:18 pm your dead wrong. Linux has many defenses against worms. IPtables and its excellent tar-pit module is used often on routers/firewalls to slow the spread of worms, you also have the famous Snort IDS, Pax/NX/Hardened/SELinux/chroot prisons/tripwire/AIDE. As for this “worm”, its not a worm in the classic sense, just some bot scanning and trying a default list of common passwords. The fault here is not the OS, its the administraters. 2005-01-28 10:16 pm “True, and I’ll admit I know nothing about SQL, but the Linux distros I’ve run won’t allow a blank root password, or even blank user passwords. They sometimes don’t allow root passwords in all lowercase or without numbers, and even if they do allow them, they warn you that it’s dangerous.” mysql allows blank passwords on linux too. you would be surprise at the ammount of people who leave it blank or use the “admin”/”admin” combo as username and password 2005-01-29 11:05 am Do not use password for dumb admin. There could be a daemon that ask the admin : – what is your birthday, – in which year did your dog dies and around 30 other such question, before giving the guy a root access. And the comment on mysql should accept only signed sahred libraries … Thanks microsoft sheep . How do you provide signed shared libs not made by your beloved companies. Did i read “those using third parties applications” … does this mean all products should be licenced by microsoft or pay to be certified/signed ? Such admin as you deserve the new world that is coming. You don’t want to think. I don’t want to live in a world under “control” because of such lazy behaviour. Paying a fee for an ID to get access to the cyberworld may be cool too ! Then no need of passwords. Maybe they will get rid of poor admin by the way, those palladium things may have a good side effect in the end. 2005-01-30 8:06 am you really need to know your stuff. MS SQL gives you stored procedures – so injection exploits are really hard to accomplish. When was the last time ASP was hacked in heaps? Or ASP.NET? I mean I am vaguely aware of worms attacking IIS .. and people say Apache has much better security records than IIS … OK, I just don’t know much about the subject … I really wanted to jump into PHP/MySQL – but the lack of stored procedures and the mass exploits of last (PHP/Bulletin) made me hesitant. Shame.