Unsecured MySQL 'root'@'localhost' account accessed remotely?
A little background: We've just had our PBX system hacked. The server itself seems secure (no logged unauthorised console access - SSH etc), but somehow the hackers have managed to inject a new admin user into the PBX software (FreePBX, backed by MySQL). Apache logs imply that the hackers managed to add the user without using the web interface (or any exploit in the web interface).
Now, I have since discovered that MySQL was running without a root password (!!) and openly bound to the external IP address (Obviously, I have locked this down now). However, the only root level user in MySQL was 'root'@'localhost'
and 'root'@'127.0.0.1'
, both of which should only have been accessible locally.
So, my question is this:
Is there a way of spoofing a connection to MySQL so that it will allow connection to the 'root'@'localhost' user from a remote IP address, WITHOUT running any other exploit locally?
For reference, the box is Centos 5 (Linux 2.6.10) running Mysql 5.0.95.
Solution 1:
No.
MySQL will never log you in to a user with the localhost
or 127.0.0.1
host specification if you aren't coming from the local system. Note that this also covers the auth bypass vulnerability, CVE 2012-2122; the password comparison might be tricked, but the host comparison is not.
You'd need something on the system to proxy off of to "trick" the source host checking. Something like phpmyadmin, or a load balancer like HAProxy running in front of the MySQL TCP port come to mind.
Solution 2:
The name root
is created by default and is very well known. The literal value root does not have any significance in the MySQL privilege system. Hence there is no requirement to continue with the user name root
.
You should change root
user name to something else so that outside world will not be able to identify (guess) it easily, this will reduce hacking attempts.
For example: If you have a user as root
@localhost
which is quite known to everyone hence hackers will try to connect it, you should change it to something specific like admin_db_name
@localhost
for better security.
Monitor a status variable called Aborted_connects
periodically to know Refused
connection to your MySQL server, it should be 0 after Flush status;
command and should not increase further.
show status like 'Aborted_connects';
Solution 3:
Does "no logged unauthorised access" include fail login attemps? If not, it could be CVE 2012-2122.
[...] when running in certain environments with certain implementations of the memcmp function, (MySQL) allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.