MySQL Servers Hijacked With Malware To Perform DDoS Attacks

An anonymous reader writes with news of a malware campaign using hijacked MySQL servers to launch DDoS attacks. Symantec reports: "Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks against other targets. According to Symantec telemetry, the majority of the compromised servers are in India, followed by China, Brazil and the Netherlands, and are being used to launch attacks against an US hosting provider and a Chinese IP address."

Re:

[JustAnotherOldGuy]

Seeing as how MySQL is the second most popular database system in the world [db-engines.com], it might be more than that.

Re:Only infects Windows MySQL servers?

[Major Blud]

AC is right, this only seems to infect MySQL running on Windows systems:

http://www.symantec.com/connec... [symantec.com]

It modifies registry entries that fool with Termial Services and other nasty stuff. You should be safe on Linux/BSD.

Re:

[budgenator]

"The Linux version was installed onto computers that had been compromised by a Secure Shell (SSH) dictionary attack."
One would hope that only a few sandbox machines and almost no production machines were affected, but weak passwords are more prevalent that we would like to admit.

Re:

[Culture20]

And most of the Linux ones have their firewalls blocking 3306. The trouble with WAMP configs is the installers often open 3306 by default on the Windows machines' firewalls, and they also don't auto-update for security patches. A double-whammy.

Re:

[Bengie]

Regardless of the local server's firewall, the network firewall should be blocking everything by default, especially for the servers.

Re:

[Culture20]

WAMP is usually installed on desktop/laptop computers instead of servers. Often as a developer's testbed. Unfortunately, also in less restrictive networks.

Re:

[greenfruitsalad]

that's a nice chart you've found there. i found the ranking a little disconnected from reality but then i looked at the "ranking method" and felt satisfied i was right.

all is still well with the world, sqlite is still 10x more popular than all the competitors combined.

Re:

[JustAnotherOldGuy]

all is still well with the world, sqlite is still 10x more popular than all the competitors combined.

"And artificial sweeteners were safe, WMDs were in Iraq and Anna Nicole married for love."

Re:

[Z00L00K]

And putting a database exposed to the net for addresses other than the intended clients is the second fault. If you have only local client software then the database shouldn't be exposed at all.

Windows Servers hijacked with Malware ..

[nickweller]

"The attackers initially injected a malicious user-defined function (Downloader.Chikdos) into servers" ref [symantec.com]

How does this trijan get executed on the host system.

Re:

[Gr8Apes]

Apparently via some other method. For Linux, the Chikdos attack is via an ssh login bruteforce attack.... gee, if I can login via ssh and have root, I've already pwned the server, MySQL would be my toy, as would everything else on the machine.

Re:

[interval1066]

Another (or really, the only) not to have a ssh port exposed to the world. People who do that are asking for trouble. Tunnel in through a VPN people!

Re:

[Aaden42]

Here’s the thing about VPN though... Explain what secret sauce protects a VPN against a brute force password attack that isn’t also applicable to SSH. Yes, most VPN appliances have decent lockout policies out of box, but you can do the exact same with SSH, fail2ban, etc.

If there was a protocol exploit where SSH allowed an attacker in without credentials, then yes sticking a tunneling protocol in front to protect it has value. When you’re talking credential attacks, it doesn’t matt

Re:

[MachineShedFred]

With any VPN worth using, you can use two-factor authentication.

Re:

[Aaden42]

With any pamd implementation worth using, you can use two-factor authentication.

Setting up Google Authenticator / Authy style two-factor is fairly straightforward in pamd for SSH logins. Not special sauce for the VPN, just poorly configured SSH. No doubt the VPN's more likely to have a nice shiny checkbox to enable it versus hacking pamd config files, but a well-configured VPN is still not magically more secure than a well-configured SSHd.

Re:

[The-Ixian]

I remove access to SSH from all hosts.

I then set up an SSH server with all authentication methods disallowed except certificate authentication.

The host is in a DMZ with ssh open to internal hosts, it also allows ssh agent forwarding and tunneling. This makes for a great "poor man's" vpn server when the actual VPN is down or has a problem.

This has proven to be a pretty secure system.

Re:

[Bert64]

Make sure you use the host as a tunnel rather than a jump off point (ie you dont login to an interactive shell and then start a new instance of ssh to connect to internal boxes)... Otherwise if someone owns the jump box they can quickly get everything.

Re:

[MachineShedFred]

You are describing a bastion host; and yes, it's a good practice to use. Well done!

Re:

[Anonymous Coward]

Don't forget SSHGuard or Fail2Ban so someone guessing passwords gets the ball-gag quickly. It also doesn't hurt to block geographic ranges one doesn't use, nor come from. For example, I use a VPN service (mainly as an outer layer of protection against unscrupulous Wi-Fi APs as well as Verizon's identifying tags on HTML traffic that are added.) Any connections that are either not from where I work or that VPN service I use are dropped via iptables (if I let them be dropped by TCP wrappers, the attacker wo

Re:

[interval1066]

This is the only way to go.

Read the artcile

[selectspec]

The hackers use SQL injection to insert a user-defined-function that downloads the malware. So, the developers must have been not protecting their strings from SQL injection.

Is there anything to read without disabling JS?

[Anonymous Coward]

Is there anything I can read about this without disabling NoScript on that bloody Symantec travesty of a website?

Re:

[steveg]

Argh. Got that right. After about ten seconds of "Loading your community website" I decided they didn't have anything I cared to see.

Why?

[ArsonSmith]

Why is your MySQL server directly on the internet?

Re:Why?

[xxxJonBoyxxx]

>> Why is your MySQL server directly on the internet?

Did you read the part about the attacks being largely from India?

These are the people who flood forums with questions like, "My company just got a contract to do IT for [huge US corporation] and they use something called MySQL to hold all their online customers. My boss told me I need to make MySQL 'PCI compliant' this weekend but I've never used it before. Can you please tell me what PCI is and what I should type in MySQL to turn on PCI?"

Re:

[deKernel]

You just made my day with that comment...thanks!

Re:

[U2xhc2hkb3QgU3Vja3M]

Fools. Screw PCI and use ISA instead, it's a lot cheaper.

Fight for your bitcoins! [coinbrawl.com]

Re:

[monkeyhybrid]

You forgot the all too common, "reply quickly", from the end.

Re:

[KGIII]

I lend a hand on a few forums. It keeps me busy. When I see something like that, "Reply Quickly." I just ignore it. I don't do homework nor do I do your job for you. I'll help, if you show an interest in actually learning. I won't help if you were too lazy to use a search engine (for common terms, I can understand a beginner not knowing which keywords to use).

Re:

[The-Ixian]

I was thinking the same thing....

Re:

[StormReaver]

Why is your MySQL server directly on the internet?

The more important question is why the hell the compromised companies hadn't long ago fired the morons who are still using inline SQL. Using inline SQL is akin to a surgeon not wearing a mask. It's gross negligence.

Re:

[phantomfive]

That's one of the most controversial arguments around. The reason it's controversial is simple, all the options suck.

ORMs suck in some situations.
Stored procedures suck in some situations.
Inline SQL suck situations.

There's no really good, flexible way to access a database that works for all use cases.

Re:

[nebosuke]

No, there really isn't any excuse for using raw inline SQL given the existence and ubiquity of parameterized query APIs. They provide all of the flexibility of raw SQL but with guaranteed proper escaping of value text and thus no SQL injection vulnerability (bugs in the API implementation notwithstanding).

Re:

[phantomfive]

If you consider parameterized query APIs to not be inline SQL, then you are right.

They hijack database servers and use 'em for DDoS?

[Ungrounded Lightning]

They hijack database servers and use them for DDoS attacks?

That's like breaking into a bank and using its postage meter to send paper spam.

What's WRONG with these people?

Re:

[Aaden42]

Not everybody’s data is interesting or valueable. If they’re not storing CC#’s or SSN’s, most attackers probably can’t monitize whatever they might find in the DB.

Their bandwidth (assuming an outbound DDoS) or their willingness to pay to keep their systems up (inbound DoS against the company’s other servers) is likely to be far more lucrative than trying to fence their data.

Re:

[phantomfive]

The article addresses your questions:

In the latest Chikdos campaign that we observed, the attackers likely used an automated scanner or possibly a worm to compromise MySQL servers and install the UDF. However the exact infection vector has not been identified

Chikdos isn't an exploit, it's a tool that uses MySQL user-defined-functions to attack another server. Symantec picked up on the attacks using their telemetry.

This particular story isn't something to teach you how to be a better server admin (although it can, if you follow the advice in the article). It's a report about various things that are passing through cyberspace, and where they come from. If you're interested in that sort of thing, then you'll be interested in

There is only a handful of cases, do not worry!

[U2xhc2hkb3QgU3Vja3M]

Seriously, who the hell still uses MySQL on DOS servers?

Fight for your bitcoins! [coinbrawl.com]