[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <41F92CCF.3070308@paradigmo.com>
From: stephane.nasdrovisky at paradigmo.com (stephane nasdrovisky)
Subject: spoolcll.exe - new worm being distributed via
mysql vulnerability?
>> my firewall alerted me that a program called spoolcll.exe
>> the worm created a service called "evmon"
>>
>> The only information about this worm on google is a discussion at the
>> following url:
>> http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
>> they are beginning to determin that it is being distributed via a hole
>> in mysql.
>
There is a slashdot.org article & comments. It looks like it exploits a
few sysadmin brain vulnerabilities: weak password, bad practice. I guess
the mysql vulnerability is required for copying&executing the bot.
http://it.slashdot.org/it/05/01/27/1546222.shtml?tid=220&tid=172&tid=95
*Don't keep the port open!*
by hacker@...-designs.com
99.99% of people who run MySQL run it on the same machine as their
webserver that queries it. Most people don't actually do queries /across
the network/ to the database server.
Just run MySQL with --skip-networking at startup (skip-networking in
my.cnf), to disable MySQL from listening on port 3306.
Powered by blists - more mailing lists