Skip navigation links

MySQL Newsletter - Subscribe Today!

Security Alert

Delicious Digg StumbleUpon Reddit Twitter Facebook

Security Alert 01/27/2005

1. What is the UDF Worm?

The UDF Worm is self-propagating code that is finding MySQL servers running on Microsoft Windows with poor firewall and password security.

This worm does not exploit any bugs in MySQL. It does exploit poor security setups for firewalls and passwords.

This worm is Microsoft Windows specific; it is unlikely to infect any Linux or UNIX compatible environments.

2. What is a User Defined Function (UDF)?

A User Defined Function, often referred to as a UDF, is a part of the ANSI SQL-99 specification. This feature allows developers to create custom functions. It is a common feature among the major database products.

3. What does the UDF Worm do?

The UDF Worm looks for MySQL servers running on Microsoft Windows that have been exposed to the internet and have either weak or no passwords installed on the account named "root". Once it finds an account it installs a UDF, and then uses that machine to infect other machines.

4. How do I know if my MySQL installation has been infected?

Run the following SQL statement: SELECT * FROM mysql.func;

If a UDF is found with a name of "app_result" then you have been infected with the worm.

You should look at all UDFs and determine whether or not they are legitimate. The worm is likely to mutate over time and will take on different UDF names.

5. How do I disinfect my system?

You may be able to remove the worm by running the following SQL statement:

DROP FUNCTION app_result;

Removing the worm does not secure a compromised machine. For one discussion of how to secure a compromised Microsoft Windows machine, please see this article.

To prevent the worm from connecting to your database you should verify that all of your current accounts have passwords and that they are strong passwords (i.e. not easily guess-able).

And remember to use firewalls and strong passwords to protect your MySQL Servers.

Please consult your security advisors for the best way to protect your systems.

6. How do I protect my MySQL Servers on Microsoft Windows?

There are 2 basic steps to protect your MySQL Servers:

  1. Always use strong passwords on all accounts.
  2. Use firewalls to protect your MySQL Servers.

7. Is this a vulnerability on Microsoft Windows, Linux, or Unix?

This worm is Microsoft Windows specific; it is unlikely to infect any Linux or UNIX compatible environments.

Learn more about strong passwords and firewall setups for Microsoft Windows here: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_password_tips.mspx http://www.microsoft.com/athome/security/protect/firewall.mspx

8. What is MySQL AB doing about this?

We will continue to educate our users about security (strong passwords and firewalls) on Microsoft Windows.

9. What are others in the Open Source and security communities saying about this issue?

For more findings on the UDF Worm, see:
Handler's Diary (SANS Institute)
UNIRAS (UK Gov CERT) Alert

10. Where can I report my observations?

Please report all security issues using our feedback form



Last updated: Fri Jan 28 11:36:58 PST 2005