GEN:SID | 1:1775 |
Message | MYSQL root login attempt |
Summary | This event is generated when the user "root" logs in to a MySQL database from an external source.
|
Impact | Serious. An attacker may have gained superuser access to the system.
|
Detailed Information | This event is generated when someone using the name "root" logs in to a MySQL database.
The 'root' user may have access to all databases on the system, with full privileges to add users, delete data, add information, etc. This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit.
|
Affected Systems | |
Attack Scenarios | Simple. The user logs in with the username 'root', full access is then granted to that user for all databases served by the MySQL daemon. The attacker may then continue to gain sensitive information from any database in the system.
|
Ease of Attack | Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system.
|
Corrective Action | Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise
Look for other events generated by the same IP addresses.
|
Additional References | |