lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <41F92CCF.3070308@paradigmo.com>
From: stephane.nasdrovisky at paradigmo.com (stephane nasdrovisky)
Subject: spoolcll.exe - new worm being distributed via
	mysql vulnerability?


>> my firewall alerted me that a program called spoolcll.exe
>> the worm created a service called "evmon"
>>
>> The only information about this worm on google is a discussion at the
>> following url: 
>> http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
>> they are beginning to determin that it is being distributed via a hole
>> in mysql.
>
There is a slashdot.org article & comments. It looks like it exploits a 
few sysadmin brain vulnerabilities: weak password, bad practice. I guess 
the mysql vulnerability is required for copying&executing the bot.

http://it.slashdot.org/it/05/01/27/1546222.shtml?tid=220&tid=172&tid=95

*Don't keep the port open!* 
by hacker@...-designs.com
99.99% of people who run MySQL run it on the same machine as their 
webserver that queries it. Most people don't actually do queries /across 
the network/ to the database server.
Just run MySQL with --skip-networking at startup (skip-networking in 
my.cnf), to disable MySQL from listening on port 3306.



Powered by blists - more mailing lists