| |
Target: MySQL
By Chris Richardson
Staff Writer
Article Date: 2005-01-28
A malicious worm targeting Windows Server systems with MySQL installed has apparently infected thousands of users.
An in-depth look by SANS.org discovered the worm's functions once it a system acquires it. According the report, after infection, the worm attempts to contact an IRC (Internet Relay Chat) server so it can receive further commands.
"The bot will connect to the IRC server on port 5002 or 5003. At this point, the IRC servers appear busy and unable to accept new connections. Note that dynamic DNS services are used. The IP addresses will likely change. Last time we where able to connect, about 8,500 hosts where connected to the IRC server…
So far, the bot has been identified as a version of 'Wootbot'. It appears to include the usual set of bot features like a DDOS engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such). The bot provides an FTP server, and a backdoors (details later. Appears to be listening on port 2301/tcp and 2304/tcp, maybe other ports)."
As noted early, instead of attacking a flaw with MySQL's code, the bot attempts to logon to databases by using a barrage of commonly used passwords.
Read the entire report here.
About the Author:
Chris Richardson is a search engine writer and editor for WebProNews. Visit WebProNews for the latest search news.
|
|
