Rule: -- Sid: 1775 -- Summary: This event is generated when the user "root" logs in to a MySQL database from an external source. -- Impact: Serious. An attacker may have gained superuser access to the system. -- Detailed Information: This event is generated when someone using the name "root" logs in to a MySQL database. The 'root' user may have access to all databases on the system, with full privileges to add users, delete data, add information, etc. This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. -- Attack Scenarios: Simple. The user logs in with the username 'root', full access is then granted to that user for all databases served by the MySQL daemon. The attacker may then continue to gain sensitive information from any database in the system. -- Ease of Attack: Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. -- False Positives: This event may be generated by a database administrator logging in as the root user from a location outside the protected network. -- False Negatives: None Known -- Corrective Action: Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise Look for other events generated by the same IP addresses. -- Contributors: Sourcefire Research Team Brian Caswell Nigel Houghton -- Additional References: --