Full Disclosure mailing list archives
Re: spoolcll.exe - new worm being distributed via mysql vulnerability?
From: stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>
Date: Thu, 27 Jan 2005 19:02:55 +0100
There is a slashdot.org article & comments. It looks like it exploits a few sysadmin brain vulnerabilities: weak password, bad practice. I guess the mysql vulnerability is required for copying&executing the bot.my firewall alerted me that a program called spoolcll.exe the worm created a service called "evmon" The only information about this worm on google is a discussion at thefollowing url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1they are beginning to determin that it is being distributed via a hole in mysql.
http://it.slashdot.org/it/05/01/27/1546222.shtml?tid=220&tid=172&tid=95*Don't keep the port open!* by hacker () gnu-designs com 99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries /across the network/ to the database server. Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- spoolcll.exe - new worm being distributed via mysql vulnerability? Mike Bailey (Jan 26)
- Re: spoolcll.exe - new worm being distributed via mysql vulnerability? Jeremy Davis (Jan 27)
- Re: spoolcll.exe - new worm being distributed via mysql vulnerability? stephane nasdrovisky (Jan 27)
- Re: spoolcll.exe - new worm being distributed via mysql vulnerability? Jeremy Davis (Jan 27)