ET SCAN MYSQL 4.1 brute force root login attempt
This alert is triggered when detecting multiple MySQL 4.1 root login attempts from a single source, implying a possible brute force attack. MySQL is a widely used open-source relational database management system. The rule specifically checks for attempts to login as the "root" user. This alert may be triggered when an adversary is attempting to gain unauthorized access to the MySQL database by trying to brute-force the root account.
ID Number
4000483
Signature
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.1 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:32; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-Protocol.html; reference:url,doc.emergingthreats.net/2002842; classtype:protocol-command-decode; sid:4000483; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
MITRE ATT&CK Technique
-
Severity
Medium
Recommendations/Investigative actions
It is recommended to limit Root Login Attempts to your MySQL server. If possible, block all communication Attempts from external networks, or enable access from specific external devices only.