Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysq

from [stephane nasdrovisky] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability?
Date: Thu, 27 Jan 2005 19:02:55 +0100 

my firewall alerted me that a program called spoolcll.exe
the worm created a service called "evmon"

The only information about this worm on google is a discussion at the
following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
they are beginning to determin that it is being distributed via a hole
in mysql.

There is a slashdot.org article & comments. It looks like it exploits a few sysadmin brain vulnerabilities: weak password, bad practice. I guess the mysql vulnerability is required for copying&executing the bot.

http://it.slashdot.org/it/05/01/27/1546222.shtml?tid=220&tid=172&tid=95

*Don't keep the port open!* by hacker@gnu-designs.com
99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries /across the network/ to the database server.
Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote code execution, Joao Victor A. Di Stasi
Next by Date:  RE: [Full-Disclosure] spoolcll.exe - new worm being distributed viamysql vulnerability?, Dolan, Patrick
Previous by Thread:  Re: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability?, Jeremy Davis
Next by Thread:  [Full-Disclosure] Delivery by mail, Martin.pitt
Indexes:  [Date] [Thread] [Top] [All Lists]