lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <d3f4951050127095546517987@mail.gmail.com>
From: jdaytona at gmail.com (Jeremy Davis)
Subject: spoolcll.exe - new worm being distributed
	viamysql vulnerability?

Definitly confusing but I believe it stems from a week root passwd.
"the bot first has to authenticate to mysql as 'root'
user." then it seems to launch the exploit allowing it access to
create the dynamic libraries containing User Defined Functions.



On Thu, 27 Jan 2005 11:47:57 -0600, Dolan, Patrick
<Patrick.Dolan@...s.com> wrote:
> From the article text:
> 
> "The bot uses the "MySQL UDF Dynamic Library Exploit". In order to
> launch the exploit, the bot first has to authenticate to mysql as 'root'
> user. A long list of passwords is included with the bot, and the bot
> will brute force the password."
> 
> Looks like this is small part exploit, and large part bad root password
> selection. Though I'm not even sure about the exploit part because the
> text later says:
> 
> "This bot does not use any vulnerability in mysql. The fundamental
> weakness it uses is a week[sic] 'root' account."
> 
> Patrick Dolan
> Information Security Analyst
> 
> -----Original Message-----
> From: Jeremy Davis [mailto:jdaytona@...il.com]
> Sent: Thursday, January 27, 2005 11:23 AM
> To: Mike Bailey
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] spoolcll.exe - new worm being distributed
> viamysql vulnerability?
> 
> Check out todays diary at SANS.
> http://isc.sans.org/
> 
> On Thu, 27 Jan 2005 00:18:21 -0500, Mike Bailey <worried@...il.com>
> wrote:
> > Aloha,
> >
> > Earlier tonight, i was sitting here at home doing some normal
> > browsing, and work and my firewall alerted me that a program called
> > spoolcll.exe was attempting to open up a port which i cannot remember
> > now.
> >
> > i tried killing it, but it just came back, over and over again each
> > time spawning itselfs on a new port.
> >
> > Registry says the worm created a service called "evmon", it cannot be
> > paused or stopped, but it can be disabled.
> >
> > The only information about this worm on google is a discussion at the
> > following url:
> > http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
> > they are beginning to determinthat it is being distributed via a hole
> > in mysql.
> >
> > Do any of you know anything about this? Thanks in advance.
> >
> > --
> > Love,
> > Mike Bailey
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> Disclaimer:
> This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.
> 
>

Powered by blists - more mailing lists