MySQL bot targets Windows

p2pnet.net News:-

A bot exploiting vulnerable MySQL installs on Windows systems is on the rampage and has so far infected several thousand, says the SANS Internet Storm Center.
“Infected systems will connect to an IRC server,” it says. “The IRC server will instruct them to scan various /8 networks for other vulnerable mysql servers.”
MySQL is an open source database engine used by millions of sites, with all that implies.
The bot uses the MySQL UDF Dynamic Library Exploit, says the Storm Center. To launch the exploitit first has to authenticate to mysql as 'root' user and, “A long list of passwords is included with the bot, and the bot will brute force the password.”
eWeek quotes security consultant Jacques Erasmus as saying the hijacked database engines are creating a zombie network of machines capable of being misused.
“Attacking all MySQL Windows installations, Erasmus said the bot, identified as MySpooler, opens three listening ports on the target machine and drops in an eight-character random file name,” says eWeek.
Erasmus said MySpooler also provides a backdoor for the attack to access the machine and deliver payload.
What can you do about it?
Its fundamental weakness it uses is a week 'root' account, says the Storm Center.
Select a strong password, in particular for the 'root' account.
Connections for any account can be limited to certain hosts in MySQL and if possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
MySQL servers should not be exposed to the ‘wild outside’. Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.
Go here for a one page cheat-sheet explaining how to setup passwords and disable network access in mysql, adds the Storm Center:
Something you think we should know about? tips[at]p2pnet.net