Re: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability?

[stephane nasdrovisky <stephane.nasdrovisky@xxxxxxxxxxxxx>]

> > my firewall alerted me that a program called spoolcll.exe
> > the worm created a service called "evmon"
> >
> > The only information about this worm on google is a discussion at the
> > following url: 
> > http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
> > they are beginning to determin that it is being distributed via a hole
> > in mysql.
There is a slashdot.org article & comments. It looks like it exploits a 
few sysadmin brain vulnerabilities: weak password, bad practice. I guess 
the mysql vulnerability is required for copying&executing the bot.

http://it.slashdot.org/it/05/01/27/1546222.shtml?tid=220&tid=172&tid=95

*Don't keep the port open!* 
by hacker@xxxxxxxxxxxxxxx
99.99% of people who run MySQL run it on the same machine as their 
webserver that queries it. Most people don't actually do queries /across 
the network/ to the database server.
Just run MySQL with --skip-networking at startup (skip-networking in 
my.cnf), to disable MySQL from listening on port 3306.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html