![]() ![]() Yongger (in Chinese - brave) uses two methods, respectively for Windows and Linux servers. Yongger is a well-known bot that has been active on the Internet for many years. For example, some addresses simply disappeared after a successful bruteforce, and then, after some time connection from new IP managed to log in at the first attempt. During the analysis, it turned out that some addresses were related. I observed 24 unique IP addresses throughout honeypot operation. I didn’t observe many login attempts during the first period until the honeypot IP was listed on Shodan in the “product:mysql” search results. I also created a few databases (besides standard 'mysql', 'test', etc.) along with tables to create a realistic production environment. Except for enabled event logging, the rest of the configuration was default. Permissions on that account were very low but not minimal. I configured the root account in such a way that the bot would not do any damage once logged in. The honeypot was available for over a month on a standard TCP/3306 port with a fake root account and an easy-to-guess password. I wanted to find out what techniques and methods attackers are currently using to escalate rights and take control of the server and find out their purpose. To take a closer look at the situation, I created two MySQL and MariaDB servers in fairly new releases (one after another). Internet scanner service binaryegde.io reports over 4.2 million available devices that have been recognized as MySQL service. After detecting an available database instance, the bot tries bruteforce administrator credentials. Lazy because, in our case, there were about 20-30 login attempts once per day or a few. These lazy programs constantly check whether there is an available MySQL service on the standard TCP/3306 port. In this article, we will focus on the database sector, specifically MySQL, and one of the common and harmful threats that lurk on the Internet.īots are a well-known threat on the Internet. Databases belong to a group that often needs direct access to the Internet - no doubt that security requirements are a priority here. Services, whether maintained by end-users or administrators, have a ton of security challenges. It’s well known that we just don’t put services or devices on the edge of the Internet without strong purpose justification.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |