lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <41F92CCF.3070308@paradigmo.com> From: stephane.nasdrovisky at paradigmo.com (stephane nasdrovisky) Subject: spoolcll.exe - new worm being distributed via mysql vulnerability? >> my firewall alerted me that a program called spoolcll.exe >> the worm created a service called "evmon" >> >> The only information about this worm on google is a discussion at the >> following url: >> http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1 >> they are beginning to determin that it is being distributed via a hole >> in mysql. > There is a slashdot.org article & comments. It looks like it exploits a few sysadmin brain vulnerabilities: weak password, bad practice. I guess the mysql vulnerability is required for copying&executing the bot. http://it.slashdot.org/it/05/01/27/1546222.shtml?tid=220&tid=172&tid=95 *Don't keep the port open!* by hacker@...-designs.com 99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries /across the network/ to the database server. Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306.
Powered by blists - more mailing lists