Security Alert 01/27/2005
The UDF Worm is self-propagating code that is finding MySQL servers running on Microsoft Windows with poor firewall and password security.
This worm does not exploit any bugs in MySQL. It does exploit poor security setups for firewalls and passwords.
This worm is Microsoft Windows specific; it is unlikely to infect any Linux or UNIX compatible environments.
The UDF Worm looks for MySQL servers running on Microsoft Windows that have been exposed to the internet and have either weak or no passwords installed on the account named "root". Once it finds an account it installs a UDF, and then uses that machine to infect other machines.
To find out whether you are affected by UDF worm or not:
Run the following SQL statement: SELECT * FROM mysql.func;
If a UDF is found with a name of "app_result" then you have been infected with the worm.
You should look at all UDFs and determine whether or not they are legitimate. The worm is likely to mutate over time and will take on different UDF names.
If you are infected by UDF worm:
You may be able to remove the worm by running the following SQL statement:
DROP FUNCTION app_result;
Removing the worm does not secure a compromised machine. For one discussion of how to secure a compromised Microsoft Windows machine, please see this article.
To prevent the worm from connecting to your database you should verify that all of your current accounts have passwords and that they are strong passwords (i.e. not easily guess-able).
And remember to use firewalls and strong passwords to protect your MySQL Servers.
Please consult your security advisors for the best way to protect your systems.
How to protect yourself from getting infected by UDF worm:
There are 2 basic steps to protect your MySQL Servers:
1. Always use strong passwords on all accounts.
2. Use firewalls to protect your MySQL Servers.
To find out more about Windows security and firewalls, please refer to ARNIT Windows security tips at : http://www.arnit.net/security/sectips.php?platform=windows
The UDF Worm is self-propagating code that is finding MySQL servers running on Microsoft Windows with poor firewall and password security.
This worm does not exploit any bugs in MySQL. It does exploit poor security setups for firewalls and passwords.
This worm is Microsoft Windows specific; it is unlikely to infect any Linux or UNIX compatible environments.
The UDF Worm looks for MySQL servers running on Microsoft Windows that have been exposed to the internet and have either weak or no passwords installed on the account named "root". Once it finds an account it installs a UDF, and then uses that machine to infect other machines.
To find out whether you are affected by UDF worm or not:
Run the following SQL statement: SELECT * FROM mysql.func;
If a UDF is found with a name of "app_result" then you have been infected with the worm.
You should look at all UDFs and determine whether or not they are legitimate. The worm is likely to mutate over time and will take on different UDF names.
If you are infected by UDF worm:
You may be able to remove the worm by running the following SQL statement:
DROP FUNCTION app_result;
Removing the worm does not secure a compromised machine. For one discussion of how to secure a compromised Microsoft Windows machine, please see this article.
To prevent the worm from connecting to your database you should verify that all of your current accounts have passwords and that they are strong passwords (i.e. not easily guess-able).
And remember to use firewalls and strong passwords to protect your MySQL Servers.
Please consult your security advisors for the best way to protect your systems.
How to protect yourself from getting infected by UDF worm:
There are 2 basic steps to protect your MySQL Servers:
1. Always use strong passwords on all accounts.
2. Use firewalls to protect your MySQL Servers.
To find out more about Windows security and firewalls, please refer to ARNIT Windows security tips at : http://www.arnit.net/security/sectips.php?platform=windows