ET SCAN MYSQL MySQL Remote FAST Account Password Cracking
This alert is triggered when a high volume of requests 100 in 1 second resembling brute-force password cracking attempts are sent to a MySQL server on port 3306. This behavior is indicative of an attacker attempting to guess MySQL account passwords rapidly.
ID Number
4000682
Signature
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:4000682; rev:5; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
Severity
High
Recommendations/Investigative actions
Identify the traffic source and Prevent further access from the offending IP to the MySQL server to mitigate the attack.
Configure the MySQL server to lock accounts after multiple failed login attempts, reducing the risk of successful brute-force attacks.