lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <b07b147d05012714065167809d@mail.gmail.com>
From: lbarreiro at gmail.com (Luisma)
Subject: Re: Full-Disclosure Digest, Vol 2, Issue 58

On Thu, 27 Jan 2005 11:51:08 -0500 (EST),
full-disclosure-request@...ts.netsys.com
> Message: 8
> Date: Thu, 27 Jan 2005 00:18:21 -0500
> From: Mike Bailey <worried@...il.com>
> Subject: [Full-Disclosure] spoolcll.exe - new worm being distributed
>         via     mysql vulnerability?
> To: full-disclosure@...ts.netsys.com
> Message-ID: <a50eeaa105012621182064e7a9@...l.gmail.com>
> Content-Type: text/plain; charset=US-ASCII
> 
> Aloha,
> 
> Earlier tonight, i was sitting here at home doing some normal
> browsing, and work and my firewall alerted me that a program called
> spoolcll.exe was attempting to open up a port which i cannot remember
> now.
> 
> i tried killing it, but it just came back, over and over again each
> time spawning itselfs on a new port.
> 
> Registry says the worm created a service called "evmon", it cannot be
> paused or stopped, but it can be disabled.
> 
> The only information about this worm on google is a discussion at the
> following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
> they are beginning to determinthat it is being distributed via a hole
> in mysql.
> 
> Do any of you know anything about this? Thanks in advance.
> 
> --
> Love,
> Mike Bailey
> 
> ------------------------------

It's a sort of new worm looking for MySQL weak root passwords. You get
more info at Sans:

http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd45444a570b

Boot in Safe Mode and delete that file. Then reboot. Of course, change
your admin pass and firewall tcp port 3306.


-- 
Saludos/Regards

Luisma
-------------------------------------------------------------
Chaos reigns within. Reflect, repent, and reboot. Order shall return.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ