[nsp-sec] Compromised/misused MySQL servers?
Jose Nazario
jose at arbor.net
Mon Jun 16 16:06:04 EDT 2008
On Mon, 16 Jun 2008, Scott A. McIntyre wrote:
> Are you sure that these are MySQL? In our network I think this botnet
> has been running on 3306/tcp for some time, standard botnet, no SQL
> involved. Just where the malware listens...several are doing this at the
> moment from what I recall.
most of the recent ones i looked at looked like MySQL. they were not IRC
or any HTTP or even a custom protocol, it lookd like MySQL and SQL
statements.
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
More information about the nsp-security
mailing list