Have you, or your anti-virus software, noticed a file called ‘cna12.dll’ on your computer? Have you suddenly found that you have an imaginary friend called ‘piress’ whom you didn’t know about? If so, you may have fallen victim to a MySQL attack (and ‘piress’ may not be so imaginary, nor friendly for that matter).
What is MySQL?
MySQL is a database server, so basically it is an application used to store all sorts of different information. For instance, it can store information on what products a shop has in stock, along with the cost price, retail price, and quantity of each product. Information in a database can then be retrieved and displayed on web pages.
The MySQL software is now owned by Oracle.
Who is at risk?
If you are running a MySQL server on Windows, and your MySQL server is accessible from the Internet, then you are at risk. It then comes down to how strong your MySQL password(s) is(are), and how secure your Windows and MySQL installations are.
Note that you may be running a MySQL server even though you didn’t explicitly install one, as other applications that you have installed may depend on it and have automatically installed it. For instance, the BigBrotherBot (B3) automated game server administration application requires MySQL.
The XAMPP (Apache, MySQL, PHP, and Perl) distribution contains MySQL and admits to being wide open security wise. Given that they also state that phpMyAdmin is accessible via the network, you may have also had attackers exploiting that.
Windows users can tell if they have been infected by this particular attack by checking for a piress user, and by checking the MySQL plugin and bin folders for the file cna12.dll.
The location of the MySQL plugin and bin folders can vary between MySQL versions so if you don’t know where they are and think that you stand about as much chance of finding them as you do of finding your way home after a good night out on the town, you can get Windows to search for a file called cna12.dll. The process of finding files varies slightly between the different versions of Windows, so consult the Windows Help documentation if necessary.
Linux users can still be attacked, however the attack won’t work because it was written for MySQL servers on a Windows platform. Linux users can tell if they have been a target of this attack by checking the /var/lib/mysql/mysql/ directory (which may differ between different Linux distributions/installations) as shown here:
root@hostname:...# cd /var/lib/mysql/mysql root@hostname:/var/lib/mysql/mysql# ls -al *cna12* -rw-rw-rw- 1 mysql mysql 3584 Nov 3 00:03 \usr\lib\mysql\plugin\\ cna12.dll root@hostname:/var/lib/mysql/mysql# md5sum -b *cna12* \a922d55a873d4ad0bbbbbc8147a3a65a *\\usr\\lib\\mysql\\plugin\\\\cna12.dll
If you are having trouble finding the MySQL plugin directory on your Linux box, you can always search the whole system by issuing the following command (if it doesn’t display anything, then the file wasn’t found):
find / -iname \*cna12.dll\* -ls
In both cases (Windows and Linux), the time stamp of the file will tell you when you were last infected by this attack.
How does the attack work?
The attack involves breaking in to your MySQL server by brute forcing, that is repeatedly trying to guess, the root user’s password. The MySQL root user is the MySQL administrator, and is the MySQL equivalent of the Administrator user under Windows and of the root (funnily enough) user under Linux.
Once the password has been successfully guessed, the attack is able to use any MySQL commands as the MySQL administrator.
What does the attack do?
The attack starts off by attempting to save the cna12.dll file to the MySQL plugin folder and to the MySQL bin folder. That file contains Windows program code that essentially adds functionality to the MySQL server. That is, it is a plugin that allows MySQL, or MySQL commands, to do things that it/they wouldn’t have otherwise been able to do.
cna12.dll is reasonably small (only 3,584 bytes) and doesn’t do much. However, what it does do is pretty serious because it gives the attacker the chance to pretty much run anything on your MySQL server, and the potential to use your server (and hence your files) with administrator privileges.
cna12.dll creates a new SQL (Structured Query Language) function called xpdl3(). SQL is a language that is commonly used to store and retrieve information from databases.
The xpdl3() function first creates a user account called piress, and adds that user to the Administrators group. This means that the attacker can now log on to your computer using the piress user and have administrator rights — that is, they will be able to do anything on that computer that you can do (assuming that you are an administrator).
The xpdl3() function then takes the URI (Uniform Resource Identifier) of a file, downloads it from the Internet, saves it as c:\isetup.exe, runs it on your server, and then deletes the downloaded isetup.exe file. A URI instructs applications on where to find a file on the Internet and how to fetch it, and it is what appears in the location bar of your web browser.
How can I recover from the attack?
This will be tricky, simply because the cna12.dll file allows the attacker to download and run any file that they want to. As such, you can’t be sure what has run on your computer after the cna12.dll file was loaded. Almost every different instance of this attack downloads a different malicious application.
Removing the piress user account and deleting the cna12.dll file(s) will be a good place to start, but apart from shutting the server down and checking each file on the disk against a known good copy, or for malicious content, the only way to be certain that your system is clean would be to rebuild it by reinstalling Windows and all the applications.
Scan your server with up-to-date anti-virus software and signatures. It may also be worth using a rootkit scanner. However, be on the look-out for fake anti-virus and rootkit scanners, which are merely trojans with malicious intent.
How can I protect myself from the attack?
There are quite a few conditions that need to be met in order for this attack to be successful:
- The MySQL server must be accessible from the Internet
- The root user’s password must be guessed
- The MySQL Windows account must be able to write to the MySQL program folders, namely its plugins and/or bin folder(s)
- The MySQL server must be able to access web servers on the Internet
I notice that part of the documentation for XAMPP admits to conditions 1 and 2 and warns you about it.
Accessible MySQL server
This is pretty obvious — an attacker can’t attack your system if they can’t get to it. As a good rule of thumb, you should only allow access to systems that actually need it. It is generally considered a bad idea to allow Internet access to your database and other servers which generally only store and process data.
Good design involves placing a user interface system, such as a web site, between the database server (or other back-end system(s)) and the Internet/users. Access to the database server can then be restricted to the web server.
The second reason that this attack was able to succeed was because it managed to guess a password. Make sure that ALL of your accounts have good passwords on them. By good, I mean passwords that aren’t easily guessable. This attack tried a long list of passwords to gain access to the root user’s account.
Be wary of default accounts, that is any account installed by the vendor/manufacturer. The user names and passwords of these accounts are often well-known, as an Internet search for the phrase default passwords will show.
Also watch out for test/dummy user accounts. These accounts are often given weak (easily guessable) passwords, and as such, can easily be a source of entry in to your system(s).
Writeable program folders
The third reason that this attack was able to succeed was because it was able to write a file to the MySQL plugin folder. As a general rule, it is not a good idea to allow applications to have write permissions to their own folders, mainly for precisely this reaason. If you think about it, if an application gets compromised, as the MySQL server did in this attack, and it can write to its own program folders, then it can modify or replace its own program files with malicious versions.
This is especially bad if the application supports plugins, which MySQL does, for reasons which are nicely demonstrated by this attack — the attack creates a malicious plugin and then runs it.
Internet access from the server
If a server such as your MySQL server has access to the Internet, then a successful attack can download further malicious content from the Internet and connect to other servers to infect them.
Not letting an Internet accessible server connect to the Internet for the same service that it is providing, goes a long way in helping to prevent an infection spreading. It also makes it easier to spot a possible infection by detecting any unnecessary attempt that that server makes to access the Internet.
For instance, don’t allow your MySQL server to connect to other MySQL servers on the Internet. This is like knowing that the human influenza virus spreads by coughing and sneezing, and consequently covering your mouth when you cough and sneeze. By knowing how the virus spreads you can stop it from being able to do so.
Then, configure your firewall or other network equipment to alert you (or at least to log) any attempts made by your MySQL server to access other MySQL servers on the Internet. This is checking for signs of infection and, in a way, would be like testing the contents of your handkerchief/tissue after sneezing, for virus cells.
A better approach, of course, is to not allow your servers access to the Internet at all, other than for services which they actually need (like DNS for instance). If you can, provide such services internally or proxy them.
So, if you have found either cna12.dll or a user called piress on your system, then things don’t look good. Remove the piress user as soon as you can, as that user account will allow anyone who knows the password to log on to Windows as an administrator.
You should also find all instances (there may be more than one) of the cna12.dll file and delete them. Note that you may need to stop the MySQL server to do so.
The main problem with this attack is that you don’t know what the attacker has installed using cna12.dll or by using the piress user account created by cna12.dll. Consequently, the easiest way to recover from such an attack would probably be to rebuild your server. That is, reinstall Windows and any applications.
It is possible to check for changes and files left by any other malicious software which may have been installed, but this isn’t necessarily easy, especially if extra malicious applications were installed in order to hide the existence of malicious applications (read about rootkits).
I have not yet been able to analyse the malicious applications that the attack attempts to download, mainly because my lab setup wasn’t automatically detecting and extracting them. I recently tweaked it so that it will automatically detect and extract the malicious applications for future attacks of this type.
If you are interested, you can read my technical analysis of the attacks series.