Introduction
We recently began scanning for accessible MySQL server instances on port 3306/TCP. These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single Autonomous System).
IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide.
While we do not check for the level of access possible or exposure of specific databases, this kind of exposure is a potential attack surface that should be closed.
Data on the accessible MySQL instances is shared in the Accessible MySQL Server Report.
How we scan
We scan by issuing a MySQL connection request on port 3306/TCP and collecting server responses that respond with a MySQL Server Greeting. This includes both TLS and non-TLS responses. We do not perform any intrusive checks to discover the level of access to any databases that is possible.
Aside from all of IPv4 space, we also scan IPv6 based on hitlists collected from various sources.
You can replicate our query with an nmap mysql-info scan: https://nmap.org/nsedoc/scripts/mysql-info.html
Results
Total MySQL population found (i.e. includes both those that deny a connection – er_host_not_privileged – and those that allow for one):
IPv4: we find a total population of MySQL servers on port 3306/TCP to be 3,957,457 (scan from 2022-05-26).
IPv6: (hitlist bases scanning): we find a total population of MySQL servers responding on port 3306/TCP to be 1,421, 010 (scan from 2022-05-26).
Total accessible MySQL servers found (ie. those that allow for a connection and respond with a Server Greeting):
IPv4: we find 2,279,908 MySQL servers on port 3306/TCP responding with a Server Greeting (scan from 2022-05-26).
1,117,659 have TLS support, 1,163,249 do not.
IPv6: we find 1,343,993 MySQL servers on port 3306/TCP responding with a Server Greeting (scan from 2022-05-26).
38,198 have TLS support, 1,307,795 do not.
Overall, for 67% of all MySQL services found are accessible from the Internet (IPv4 and IPv6).
Accessible IPv4 MySQL server country breakdown
Most accessible IPv4 MySQL servers by country are as follows: United States (740.1K), China (296.3K), Poland (207.8K) and Germany (174.9K).
Accessible MySQL servers by unique IPv4 (2022-05-26)
Country-level breakdown of accessible MySQL servers by unique IPv4 (2022-05-26)
Accessible IPv6 MySQL server country breakdown
Most accessible IPv6 MySQL servers by country are as follows: United States (460.8K), Netherlands (296.3K), Singapore (218.2K) and Germany (173.7K).
Accessible MySQL servers by unique IPv6 (2022-05-26)
Country-level breakdown of accessible MySQL servers by unique IPv6 (2022-05-26)
Please note that for IPv6, the vast majority are in a single AS.
MySQL Top 10 IPv4 version breakdown:
| Version | Count |
|---|---|
| 5.7.33-36 | 150600 |
| 5.6.41-84.1 | 92834 |
| 5.7.23-23 | 69627 |
| 5.7.38-0ubuntu0.18.04.1 | 59333 |
| 5.6.51-cll-lve | 58825 |
| 8.0.23 | 57148 |
| 5.5.68-mariadb | 55401 |
| 5.6.50-log | 54574 |
| 5.5.5-10.1.48-mariadb | 40853 |
| 5.7.33-log | 35809 |
MySQL IPv6 version breakdown:
| Version | Count |
|---|---|
| 5.5.5-10.5.12-mariadb-cll-lve | 908128 |
| 5.7.37-40-log | 147072 |
| 5.5.5-10.5.13-mariadb-cll-lve | 125320 |
| 5.5.5-10.5.15-mariadb-cll-lve | 72856 |
| 8.0.27-18 | 20838 |
| 5.5.5-10.3.32-mariadb-log | 11121 |
| 5.7.35-38 | 6640 |
| 5.5.5-10.5.15-mariadb-cll-lve-log | 3435 |
| 5.7.23-cll-lve | 2085 |
| 5.7.33-cll-lve | 1993 |
Mitigation
It is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface). If you do receive a report on your network/constituency take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server.
MySQL has a MySQL 5.7 Secure Deployment Guide and MySQL 8.0 Secure Deployment Guide.
Subscribe to get free data on accessible MySQL instances in your network or constituency!
Details about the format of the new report being shared can be found in the Accessible MySQL Server report. If you are an existing subscriber you will get the report daily should any IP be found in your network/constituency. This applies to both the IPv4 and IPv6 version of the reports.
If you are not already a subscriber to Shadowserver’s public benefit daily network reports and would like to receive this new report and our other existing report types (covering not just other scan results, but observations from sinkholes, honeypots, darknets, sandboxes, blocklists and other sources), then please sign up to our free daily public benefit network remediation feed service.
For more information on our scanning efforts, check out our Internet scanning summary page.
For any questions, please contact us.