A malicious bot program is breaking into poorly-secured MySQL databases running on Windows web servers, and appears to have compromised several thousand systems. The malware is using a brute force password attack to gain access to MySQL installations with weak administrative (root) passwords, according to an analysis by the Internet Storm Center.
Once the bot has gained access to MySQL, it uses the MySQL UDF Dynamic Library Exploit to upload malicious code to the infected system and then connects to an IRC channel. Once incorporated into the bot network, the “zombie” machines attempt to infect other servers, but could easily be used for other purposes.
The bot being used is a version of widely used malware controller known as Wootbot or Forbot. "It appears to include the usual set of bot features like a DDOS engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such)," according to the SANS analysis. "The bot provides an FTP server, and backdoors."
MySQL is the leading open source database, and is widely used in web applications written in the PHP server-side scripting language. MySQL is present in more than 5 million installations, and is a key ingredient in popular "LAMP" hosting plans, which feature the Linux operating system, Apache server, MySQL database and scripting in PHP, Perl or Python. MySQL is also available for Unix and Windows as well, but only Windows machines are known to have been exploited thus far.