[nsp-sec] Compromised/misused MySQL servers?
jose nazario
jose at arbor.net
Mon Jun 16 10:21:11 EDT 2008
Been seeing a handful of MySQL servers in our automated analysis reports
lately. Looks like some malcode may be using MySQL calls directly to store
info, bypassing a web API.
Here's a list of hosts that appear to be misused, some successfully and some
not so. These have all had MySQL connections made in the past few months,
not all may be live.
Bulk mode; whois.cymru.com [2008-06-16 14:20:28 +0000]
35017 | 194.126.173.230 | alex.ccpower.ru | SWIFTWAY-AS SWIFTWAY
Autonomous System
16276 | 91.121.88.179 | alex.ccpower.ru | OVH OVH
32181 | 69.65.19.125 | daniel452.no-ip.org | ASN-ECOMD-COLOQUEST -
GigeNET28753 | 89.149.234.183 | elena.ccpower.ru | NETDIRECT AS
NETDIRECT Frankfurt, DE
35017 | 194.126.174.202 | elena.ccpower.ru | SWIFTWAY-AS SWIFTWAY
Autonomous System
28753 | 89.149.234.17 | elena.ccpower.ru | NETDIRECT AS NETDIRECT
Frankfurt, DE
4837 | 123.154.134.40 | fxez8.3322.org | CHINA169-BACKBONE CNCGROUP
China169 Backbone
NA | 0.0.0.0 | jushen.3322.org | NA
19166 | 64.72.112.117 | mysql1.100ws.com | ALPHARED-HOUSTON - Alpha
Red, INC
4837 | 222.136.95.93 | sguo.3322.org | CHINA169-BACKBONE CNCGROUP
China169 Backbone
4812 | 222.64.149.8 | shr.3322.org | CHINANET-SH-AP China Telecom
(Group)
2828 | 67.109.160.115 | www.drockstore.net | XO-AS15 - XO
Communications
7015 | 24.218.239.205 | freesql.org | CCCH-AS2 - Comcast Cable
Communications Holdings, Inc
16685 | 200.185.126.132 | xmysql4.f3.k8.com.br | OptiGlobe Telecom Ltda.
16685 | 200.185.126.133 | xmysql5.f3.k8.com.br | OptiGlobe Telecom Ltda.
Additional details available on request.
-- jose
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: (734) 821 1427
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------
More information about the nsp-security
mailing list