Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Botnet Databases Open Source Security

MySQL Servers Hijacked With Malware To Perform DDoS Attacks (symantec.com) 55

An anonymous reader writes with news of a malware campaign using hijacked MySQL servers to launch DDoS attacks. Symantec reports: "Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks against other targets. According to Symantec telemetry, the majority of the compromised servers are in India, followed by China, Brazil and the Netherlands, and are being used to launch attacks against an US hosting provider and a Chinese IP address."
This discussion has been archived. No new comments can be posted.

MySQL Servers Hijacked With Malware To Perform DDoS Attacks

Comments Filter:
  • by nickweller ( 4108905 ) on Wednesday October 28, 2015 @01:53PM (#50819183)
    "The attackers initially injected a malicious user-defined function (Downloader.Chikdos) into servers" ref [symantec.com]

    How does this trijan get executed on the host system.
    • by Gr8Apes ( 679165 )
      Apparently via some other method. For Linux, the Chikdos attack is via an ssh login bruteforce attack.... gee, if I can login via ssh and have root, I've already pwned the server, MySQL would be my toy, as would everything else on the machine.
      • Another (or really, the only) not to have a ssh port exposed to the world. People who do that are asking for trouble. Tunnel in through a VPN people!
        • by Aaden42 ( 198257 )

          Here’s the thing about VPN though... Explain what secret sauce protects a VPN against a brute force password attack that isn’t also applicable to SSH. Yes, most VPN appliances have decent lockout policies out of box, but you can do the exact same with SSH, fail2ban, etc.

          If there was a protocol exploit where SSH allowed an attacker in without credentials, then yes sticking a tunneling protocol in front to protect it has value. When you’re talking credential attacks, it doesn’t matt

          • With any VPN worth using, you can use two-factor authentication.

            • by Aaden42 ( 198257 )

              With any pamd implementation worth using, you can use two-factor authentication.

              Setting up Google Authenticator / Authy style two-factor is fairly straightforward in pamd for SSH logins. Not special sauce for the VPN, just poorly configured SSH. No doubt the VPN's more likely to have a nice shiny checkbox to enable it versus hacking pamd config files, but a well-configured VPN is still not magically more secure than a well-configured SSHd.

        • I remove access to SSH from all hosts.

          I then set up an SSH server with all authentication methods disallowed except certificate authentication.

          The host is in a DMZ with ssh open to internal hosts, it also allows ssh agent forwarding and tunneling. This makes for a great "poor man's" vpn server when the actual VPN is down or has a problem.

          This has proven to be a pretty secure system.

          • by Bert64 ( 520050 )

            Make sure you use the host as a tunnel rather than a jump off point (ie you dont login to an interactive shell and then start a new instance of ssh to connect to internal boxes)... Otherwise if someone owns the jump box they can quickly get everything.

          • You are describing a bastion host; and yes, it's a good practice to use. Well done!

          • Re: (Score:3, Interesting)

            by Anonymous Coward

            Don't forget SSHGuard or Fail2Ban so someone guessing passwords gets the ball-gag quickly. It also doesn't hurt to block geographic ranges one doesn't use, nor come from. For example, I use a VPN service (mainly as an outer layer of protection against unscrupulous Wi-Fi APs as well as Verizon's identifying tags on HTML traffic that are added.) Any connections that are either not from where I work or that VPN service I use are dropped via iptables (if I let them be dropped by TCP wrappers, the attacker wo

          • This is the only way to go.
    • The hackers use SQL injection to insert a user-defined-function that downloads the malware. So, the developers must have been not protecting their strings from SQL injection.

  • by Anonymous Coward

    Is there anything I can read about this without disabling NoScript on that bloody Symantec travesty of a website?

    • by steveg ( 55825 )

      Argh. Got that right. After about ten seconds of "Loading your community website" I decided they didn't have anything I cared to see.

  • Why is your MySQL server directly on the internet?

    • Re:Why? (Score:5, Funny)

      by xxxJonBoyxxx ( 565205 ) on Wednesday October 28, 2015 @02:18PM (#50819381)

      >> Why is your MySQL server directly on the internet?

      Did you read the part about the attacks being largely from India?

      These are the people who flood forums with questions like, "My company just got a contract to do IT for [huge US corporation] and they use something called MySQL to hold all their online customers. My boss told me I need to make MySQL 'PCI compliant' this weekend but I've never used it before. Can you please tell me what PCI is and what I should type in MySQL to turn on PCI?"

      • by deKernel ( 65640 )

        You just made my day with that comment...thanks!

      • Fools. Screw PCI and use ISA instead, it's a lot cheaper.

        Fight for your bitcoins! [coinbrawl.com]

      • You forgot the all too common, "reply quickly", from the end.

        • by KGIII ( 973947 )

          I lend a hand on a few forums. It keeps me busy. When I see something like that, "Reply Quickly." I just ignore it. I don't do homework nor do I do your job for you. I'll help, if you show an interest in actually learning. I won't help if you were too lazy to use a search engine (for common terms, I can understand a beginner not knowing which keywords to use).

    • I was thinking the same thing....

    • Why is your MySQL server directly on the internet?

      The more important question is why the hell the compromised companies hadn't long ago fired the morons who are still using inline SQL. Using inline SQL is akin to a surgeon not wearing a mask. It's gross negligence.

      • That's one of the most controversial arguments around. The reason it's controversial is simple, all the options suck.

        ORMs suck in some situations.
        Stored procedures suck in some situations.
        Inline SQL suck situations.

        There's no really good, flexible way to access a database that works for all use cases.
        • No, there really isn't any excuse for using raw inline SQL given the existence and ubiquity of parameterized query APIs. They provide all of the flexibility of raw SQL but with guaranteed proper escaping of value text and thus no SQL injection vulnerability (bugs in the API implementation notwithstanding).

  • by Ungrounded Lightning ( 62228 ) on Wednesday October 28, 2015 @02:05PM (#50819293) Journal

    They hijack database servers and use them for DDoS attacks?

    That's like breaking into a bank and using its postage meter to send paper spam.

    What's WRONG with these people?

    • by Aaden42 ( 198257 )

      Not everybody’s data is interesting or valueable. If they’re not storing CC#’s or SSN’s, most attackers probably can’t monitize whatever they might find in the DB.

      Their bandwidth (assuming an outbound DDoS) or their willingness to pay to keep their systems up (inbound DoS against the company’s other servers) is likely to be far more lucrative than trying to fence their data.

  • Seriously, who the hell still uses MySQL on DOS servers?

    Fight for your bitcoins! [coinbrawl.com]

No spitting on the Bus! Thank you, The Mgt.

Working...