[Intrusions] MySQL hits...

kenneth gf brown ken at shadowplay.net
Mon Feb 7 18:13:28 GMT 2005 


might this help ?? 


see http://dev.mysql.com

FEATURE ARTICLE
Securing a MySQL Server on Windows
At the end of January 2005 a new worm-like malware named Forbot spread
across the Internet, targeting poorly configured MySQL installations and
exploiting them to gain access to the Windows host machines. MySQL takes
security very seriously and we are working on a set of proactive services to
help alert you to bugs, security issues and new features.

Read the article >

More Articles >   Forums > 


> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of 
> bschnzl at cotse.net
> Sent: February 5, 2005 10:01
> To: intrusions at lists.sans.org
> Subject: [Intrusions] MySQL hits...
> 
> 
> All...
> 
> I have been hit with 1047 mysql sessions on THP!  The bulk of the 
> hits came at 0929 EST and continued until 1051.  I have attached the 
> SYNs.  Is there a new MYSQL exploit, or was this guy just beating his 
> head against a wall?
> 
> B.
> 
> On 20 Jan 2005, this text appeared purporting to belong to Jason
> 
> From:           	"Jason \"JC\" Monroe" <monroe at peoplego.com>
> To:             	"Intrusions List (GCIA Practicals)" 
> <intrusions at lists.sans.org>
> Date sent:      	Thu, 20 Jan 2005 22:38:46 -0800
> Subject:        	[Intrusions] Re: Summary of large-scale 
> portscanning detects
> Send reply to:  	"Intrusions List \(GCIA Practicals\)" 
> <intrusions at lists.sans.org>
> 	<mailto:intrusions-request at lists.sans.org?subject=unsubscribe>
> 	<mailto:intrusions-request at lists.sans.org?subject=subscribe>
> Keywords:       	
> > On Thu, 2005-01-20 at 19:26, Ken.Connelly at uni.edu wrote:
> > > The following extracts show the beginning and ending of scan 
> > > activity was detected on my network.  The number 
> following each set 
> > > is the total number of probes for that source.  Timestamps are 
> > > GMT-0600.
> > > 
> > > Jan 19 06:01:54 68.164.218.138:2433 -> xxx.yyy.1.1:3306 
> SYN ******S*
> > > Jan 19 06:01:54 68.164.218.138:2434 -> xxx.yyy.1.2:3306 
> SYN ******S* 
> > 
> > 
> > The only tools that I've located have been mysqlf**k and 
> another brute 
> > forcer. Has anyone else found evidence of a MySQL based worm?
> > 
> > Thanks,
> > 
> > JC
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org 
> > http://www.dshield.org/mailman/listinfo/intrusions
> 
> 
> 
> 
> __________ NOD32 1.992 (20050205) Information __________
> 
> This message was checked by NOD32 antivirus system. 
> http://www.nod32.com
> 
>

More information about the Intrusions mailing list