* UPDATE: Possible MySQL Bot. New Juniper Vuln, Advice on managing X Windows security, Request for input on 2005 Critical Threats

Published: 2005-01-26
Last Updated: 2005-01-27 12:35:39 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)
UPDATE: Possible MySQL Bot

We called this a worm earlier. However, after running a sample, it turns
out that this is actually a bot. It will not start to scan until instructed
to do so via IRC. The control server is at landingzone.dynamic-ip.us, which
currently resolves to

The bot is looking for mysql servers, and infecting Windows systems. The
exact infection mechanism is not clear right now.

Some discussion about this worm can be found here:


(thanks to Evan for sending a sample. But we always like more. MD5SUM of the sample we got from Evan: 18d3fe6ebabc4bed7008a9d3cb3713b9)

We do observe a significant rise in port 3306 scanning, which is likely
caused by infected systems.

(at the time of this writing, about 4,000 distinct source IPs scanned
where observed, up from about 500 during the prior days)

The worm creates a file called 'Spoolcll.exe' and has so far been named 'MySpooler'.

You should not expose any MySQL servers to unsolicited connections. If you run MySQL, make sure you block port 3306. MySQL can run without networking enabled, as long as you only connect to it from the local host (e.g. if a web server and mysql run on the same system, which is common for small website). In order to turn off networking, start mysql with the --skip-networking option. You will however need networking if you use replication.

Like allways: If you have to connect from remote systems to your mysql server, tunnel via ssh if possible. Other mitigation options are to enforce SSL encrypted connections (available in mysql 4.0 and later), limit access to certain hosts via firewall rules, and restrict access via mysql's access controls. And as always: Defense in depth. Implement as many of these options as possible, don't rely on one option by itself. If possible, run mysql in a chroot jail (this may require some adjustments to your applications).

New Juniper Vulnerability:

We've got a new vulnerability that has been rumored for a while but is now public-


Quoting from the CERT announcement

"This vulnerability could be exploited either by a directly attached
neighboring device or by a remote attacker that can deliver certain
packets to the router. Routers running vulnerable JUNOS software
are susceptible regardless of the router's configuration. It is
not possible to use firewall filters to protect vulnerable routers.

This vulnerability is specific to Juniper Networks routers running
JUNOS software. Routers that do not run JUNOS software are not
susceptible to this vulnerability. ...

This problem exists in all releases of JUNOS software built prior
to January 7, 2005.

US-CERT is aware this issue is known to affect M-series & T-series Juniper routers."
Patrick Nolan offers the following analysis

Port 6000 X Window system/Linux Malware Activity

Another of our invaluable readers/contributors made the time to persist in
responding to scans of Port 6000 on their network and discovered some
interesting malware for Linux that AV vendors are still responding to. The
activity was reported to have "began in early to mid December." The analysis
they submitted showed that the "Xserver tools" found were used to harvest
accounts and passwords.

Port 6000 scanning trends can be seen here;


Observations from the trench/submitted reports;

"there appear to be more systems using "try" to attach to tcp/6000 and log
keystrokes. users who do "xhost +" are most at risk. we told them not to
do that. ;-)" (The Xhost command line option + results in "Access granted to

"we'll be closing down 6000 at routers and system levels."

"In my testing, I've found that the keystroke logger didn't log well. some
keystrokes did not get recorded. it does well enough though."

"this works better that those constent ssh brute force scanners. it leaves
few traces of use."

"it doesn't require root and it doesn't not put the nic into promiscuous

The examination of "email logs to date do not reveal outbound to the
addresses found in the files removed from the system."

11 files were submitted to VirusTotal and about 9 other AV Vendors.

F-Secure shot back this information on the submitted files;


do read lines from file and feed them to "try"

madscan simple TCP connect scanner, takes hosts/ports from file

rpmquery clue script that mails results

scan clue script that starts to scan to port 6000 with "madscan" and tries to connect with "try" to hosts

send clue script that sends some mail

setup script that sets "rpmquery" in crontab

t read lines from file and feed them to "touch"

touch seems to be normal "touch" command, maybe hacked for setting predefined date

try X windows keylogger, tries to connect to remote hosts and snoop on X windows using XOpenWindow/XNextEvent

x read addresses from file and feed them to "mail" (missing file from the submission)

xfil script for parsing scan logs

**end snip**
SANS Critical Internet Threats research is undertaken annually and provides the basis for the SANS "Top 20" report. The "Top 20" report describes the most serious internet security threats in detail, and provides the steps to identify and mitigate these threats.

The "Top 20" began its life as a research study undertaken jointly between the SANS Institute and the National Infrastructure Protection Centre (NIPC) at the FBI. Today thousands of organizations from all spheres of industry are using the "Top 20" as a definitive list to prioritize their security efforts.

The current "Top 20" is broken into two complimentary yet distinct sections:

? The 10 most critical vulnerabilities for Windows systems.

? The 10 most critical vulnerabilities for UNIX and Linux systems.
The 2005 Top 20 will once again create the experts' consensus on threats - the result of a process that brings together security experts, leaders, researchers and visionaries from the most security-conscious federal agencies in the US, UK and around the world; the leading security software vendors and consulting firms; the university-based security programs; many other user organizations; and the SANS Institute. In addition to the Windows and UNIX vulnerabilities, this year's research will also focus on the 10 most severe vulnerabilities in the Cisco platforms.

For reference a copy of the 2004 paper is available online: http://www.sans.org/top20

*A list of participants may be found in the Appendix.



If you are interested in the Top 20 2005 research please contact the Director Top 20, Ross Patel (rpatel@sans.org), with the following details:

? Your Name

? The Organization you represent and your role

? Contact Details (inc. email and phone)

? A brief description of your security specialty


Toby Kohlenberg
0 comment(s)
Diary Archives