Hello, welcome to the Monday, June 6th, 2016 edition of the Sandus Storm Center's Stormcast.

My name is Johannes Ulrich and the I'm recording from Baltimore, Maryland.

Tom Liston is back and with a great diary about a recent compromise of a MySQL honeypot.

The attacker in this case used somewhat similar techniques as we have seen in some write-ups

in the past that covered Unix-based MySQL honeypots, but in Tom's case, the honeypot was exposed to a Windows-specific exploit.

MySQL with no or weak passwords and having it exposed to the public internet is still common enough for attackers to scan for it.

Each day we see pretty consistent scans for

around 2,000 different source IP addresses that are looking for MySQL servers.

In Tom's case, the attacker used a number of different methods to gain persistent access to the system.

The attacker dropped various files to the system and also loaded MySQL extensions

to implement a MySQL command that will execute shell commands.

This is a technique we have seen used before against MySQL on Unix and of course it

works just as well on Windows. The root problem here of course is a weak configuration. It's not

really a MySQL specific problem and similar exploits can be expected against other databases that are exposed.

And actually, for example, a case of database like Postgres or such, you already have

execute commands, you don't actually have to implement the way it's sort of done with its

extension in MySQL. Aside from configuring strong passwords for authentication

and isolating your database server from the public internet,

the server should also run as a restricted user.

This will effectively break some of the exploits

that the attacker is attempting here.

Remember that even if you isolate your database server, there's still the possibility that someone first breaks into your network

...