Connect with us

Hi, what are you looking for?


Cloud Security

MySQL Servers, Docker Hosts Infected With DDoS Malware

Researchers warn attackers are targeting MySQL servers and Docker hosts to plant malware capable of launching distributed DDoS attacks.

Attackers are targeting MySQL servers and Docker hosts to plant malware capable of launching distributed denial-of-service (DDoS) attacks, according to a warning from researchers at the AhnLab Security Emergency Response Center.

According to AhnLab, attacks targeting MySQL on Windows have increased in frequency with vulnerable MySQL servers infected with ‘Ddostf’, a DDoS-capable botnet of Chinese origin that has been around since at least 2016.

Malicious attackers, AhnLab warns, scan the internet for publicly-accessible MySQL servers using the TCP port 3306, and then attempt to compromise them either using weak credentials or exploiting known vulnerabilities.

The attackers then upload a malicious DLL as a UDF (User-Defined Function) library, which allows them to execute commands on the infected system and to deploy and execute the Ddostf malware.

Targeting both Linux and Windows environments, Ddostf achieves persistence and then collects system information and sends it to the command-and-control (C&C) server. It then waits for commands to launch DDoS attacks such as SYN, UDP, and HTTP GET/POST floods.

“Although most of the commands supported by Ddostf are similar to those from typical DDoS bots, a distinctive feature of Ddostf is its ability to connect to a newly received address from the C&C server and execute commands there for a certain period,” AhnLab explained.

The malware appears to be designed solely for launching DDoS attacks and the researchers believe the threat actor is operating a DDoS-for-hire service.

OracleIV DDoS-capable malware

Advertisement. Scroll to continue reading.

Separately, Cado Security is warning in a new report that Docker hosts are being targeted with the OracleIV DDoS-capable malware, via the Docker Engine API, an HTTP API served by Docker Engine.

Attackers are scanning for publicly-exposed instances of the Docker Engine API to deploy a malicious container that hosts Python malware compiled as an ELF executable.

According to Cado, the accidentally exposed Docker Engine API instances have been a popular target for attackers in recent years, especially for deploying cryptocurrency miners. “Once a valid endpoint is discovered, it’s trivial to pull a malicious image and launch a container from it to carry out any conceivable objective. Hosting the malicious container in Dockerhub, Docker’s container image library, streamlines this process even further,” the company said.

Cado said it observed attackers making HTTP POST requests to retrieve a malicious image from Dockerhub and spawn a container from it. The malicious Docker image, Cado says, has over 3,000 pulls and appears to be updated regularly.

Baked within the image, OracleIV supports commands for UDP, UDP_PPS, SSL, SYN, HTTP/GET, and SLOW flood attacks, although some of the functions are not working.

Related: Organizations Respond to HTTP/2 Zero-Day Exploited for DDoS Attacks

Related: CISA Releases Guidance on Adopting DDoS Mitigations

Related: US Seizes Domains of 13 DDoS-for-Hire Services

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.