[nsp-sec] Compromised/misused MySQL servers?
Scott A. McIntyre
scott at xs4all.net
Mon Jun 16 15:53:23 EDT 2008
Hi Jose,
On Jun 16, 2008, at 16:21 , jose nazario wrote:
> ----------- nsp-security Confidential --------
>
> Been seeing a handful of MySQL servers in our automated analysis
> reports
> lately. Looks like some malcode may be using MySQL calls directly to
> store
> info, bypassing a web API.
>
> Here's a list of hosts that appear to be misused, some successfully
> and some
> not so. These have all had MySQL connections made in the past few
> months,
> not all may be live.
>
> Bulk mode; whois.cymru.com [2008-06-16 14:20:28 +0000]
> 35017 | 194.126.173.230 | alex.ccpower.ru | SWIFTWAY-AS SWIFTWAY
> Autonomous System
> 16276 | 91.121.88.179 | alex.ccpower.ru | OVH OVH
> 28753 | 89.149.234.183 | elena.ccpower.ru | NETDIRECT AS
> NETDIRECT Frankfurt, DE
> 35017 | 194.126.174.202 | elena.ccpower.ru | SWIFTWAY-AS SWIFTWAY
> Autonomous System
> 28753 | 89.149.234.17 | elena.ccpower.ru | NETDIRECT AS NETDIRECT
> Frankfurt, DE
Are you sure that these are MySQL? In our network I think this botnet
has been running on 3306/tcp for some time, standard botnet, no SQL
involved. Just where the malware listens...several are doing this at
the moment from what I recall.
Cheers,
Scott A. McIntyre
XS4ALL Internet B.V.
More information about the nsp-security
mailing list