HIGH: Accessible MySQL Server Report

DESCRIPTION LAST UPDATED: 2023-12-16

DEFAULT SEVERITY LEVEL: HIGH

Introduction

This report identifies accessible MySQL server instances on port 3306/TCP.  These are instances that respond to our request with a Server Greeting.

How we scan 

We scan by issuing a MySQL connection request on port 3306/TCP and collecting server responses that respond with a MySQL Server Greeting. This includes both TLS and non-TLS responses. We do not perform any intrusive checks to discover the level of access to any databases that is possible.

Aside from all of IPv4 space, we also scan IPv6 based on hitlists.

You can replicate our query with an nmap mysql-info scan: https://nmap.org/nsedoc/scripts/mysql-info.html

Dashboard

You can track latest MySQL scan results on the Shadowserver Dashboard.

Mitigation

It is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface). If you do receive a report on your network/constituency take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server.

MySQL has a MySQL 5.7 Secure Deployment Guide and  MySQL 8.0 Secure Deployment Guide.

This scan was first announced in a blog on 2022-05-31 titled “Over 3.6M exposed MySQL servers on IPv4 and IPv6”.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filenames: scan_mysql, scan6_mysql

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol of the MySQL response (always TCP)
  • port
    Port that is being queried (3306)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to "mysql"
  • version
    Version information if any
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • mysql_protocol_version
    MySQL protocol version
  • server_version
    MySQL server version
  • error_code
    Error code returned, if any
  • error_id
    Error id returned
  • error_message
    Error message returned
  • client_can_handle_expired_passwords
    Can handle expired passwords (Y/N)
  • client_compress
    Supports compression (Y/N)
  • client_connect_attrs
    Permits connection attributes (Y/N)
  • client_connect_with_db
    Supports schema-name in handshake response packet (Y/N)
  • client_deprecated_eof
    Can send OK after a Text Resultset (Y/N)
  • client_found_rows
    Send found rows instead of affected rows in EOF_Packet (Y/N)
  • client_ignore_sigpipe
    Do not issue SIGPIPE if network failures occur (Y/N)
  • client_ignore_space
    Parser ignores spaces before '(' (Y/N)
  • client_interactive
    Interactive client support (Y/N)
  • client_local_files
    LOCAL INFILE request of LOAD DATA|XML (Y/N)
  • client_long_flag
    Supports longer flags (Y/N)
  • client_long_password
    Use the improved version of Old Password Authentication (Y/N)
  • client_multi_results
    Handle multiple resultsets for COM_QUERY (Y/N)
  • client_multi_statements
    Handle multiple statements per COM_QUERY and COM_STMT_PREPARE (Y/N)
  • client_no_schema
    Do not permit database.table.column (Y/N)
  • client_odbc
    Special handling of ODBC behavior (Y/N)
  • client_plugin_auth
    Supports the pluggable authentication protocol (Y/N)
  • client_plugin_auth_len_enc_client_data
    Length-encoded integer for auth response data in Protocol::HandshakeResponse41 (Y/N)
  • client_protocol_41
    Supports authentication plugins (Y/N)
  • client_ps_multi_results
    Can send multiple resultsets for COM_STMT_EXECUTE (Y/N)
  • client_reserved
    Not used
  • client_secure_connection
    Supports Authentication::Native41 (Y/N)
  • client_session_track
    Send session-state change data after a OK packet (Y/N)
  • client_ssl
    Supports SSL (Y/N)
  • client_transactions
    Send status flags in EOF_Packet (Y/N)
  • handshake
    The highest SSL handshake that could be negotiated (TLSv1.2, TLSv1.1, TLSv1.0, SSLv3)
  • cipher_suite
    The highest CipherSuite that was able to be negotiated
  • cert_length
    Certificate Key Length (1024 bit, 2048 bit, etc)
  • subject_common_name
    The Common Name (CN) of the SSL certificate
  • issuer_common_name
    The Common Name of the entity that signed the SSL certificate
  • cert_issue_date
    Date when the SSL certificate became valid
  • cert_expiration_date
    Date when the SSL certificate expires
  • sha1_fingerprint
    SHA1 fingerprint of certificate
  • cert_serial_number
    Certificate serial number
  • ssl_version
    SSL/TLS version
  • signature_algorithm
    Signature algorithm used
  • key_algorithm
    Key algorithm used
  • subject_organization_name
    The subject organization name (ON) of the certificate
  • subject_organization_unit_name
    The organization unit name of the subject of the certificate
  • subject_country
    The country of the subject of the certificate
  • subject_state_or_province_name
    The state or province name of the subject of the certificate
  • subject_locality_name
    The locality name of the subject of the certificate
  • subject_street_address
    The street address of the subject of the certificate
  • subject_postal_code
    The postal code of the subject of the certificate
  • subject_surname
    The surname of the subject of the certificate
  • subject_given_name
    The given name of the subject of the certificate
  • subject_email_address
    The e-mail address of the subject of the certificate
  • subject_business_category
    The business category of the subject of the certificate
  • subject_serial_number
    Serial number of the subject of the certificate
  • issuer_organization_name
    Issuing organization name
  • issuer_organization_unit_name
    Issuing organization unit name
  • issuer_country
    Country of issuer
  • issuer_state_or_province_name
    State or province of issuer
  • issuer_locality_name
    Locality of issuer
  • issuer_street_address
    Street address of issuer
  • issuer_postal_code
    Postal code of issuer
  • issuer_surname
    Surname of issuer
  • issuer_given_name
    Given name of issuer
  • issuer_email_address
    Email address of issuer
  • issuer_business_category
    Business category of issuer
  • issuer_serial_number
    Serial number of issuer
  • sha256_fingerprint
    SHA256 fingerprint of certificate
  • sha512_fingerprint
    SHA512 fingerprint of the certificate
  • md5_fingerprint
    MD5 fingerprint of certificate
  • cert_valid
    Is the certificate valid (Y/N)?
  • self_signed
    Is the certificate self-signed (Y/N)?
  • cert_expired
    Whether the cert has expired (Y/N)
  • validation_level
    Certificate validation level, e.g. DV, OV, EV
  • browser_trusted
    Browser trusted certificate (Y/N)?
  • browser_error
    Browser certificate errors encountered when scanning
  • raw_cert
    Copy of raw certificate
  • raw_cert_chain
    Copy of raw certificate chain

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","sector","mysql_protocol_version","server_version","error_code","error_id","error_message","client_can_handle_expired_passwords","client_compress","client_connect_attrs","client_connect_with_db","client_deprecated_eof","client_found_rows","client_ignore_sigpipe","client_ignore_space","client_interactive","client_local_files","client_long_flag","client_long_password","client_multi_results","client_multi_statements","client_no_schema","client_odbc","client_plugin_auth","client_plugin_auth_len_enc_client_data","client_protocol_41","client_ps_multi_results","client_reserved","client_secure_connection","client_session_track","client_ssl","client_transactions","handshake","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_valid","self_signed","cert_expired","validation_level","browser_trusted","browser_error","raw_cert","raw_cert_chain"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,3306,node01.example.com,mysql,,64512,ZZ,Region,City,0,certificate,,10,5.7.41-percona-sure1-log,1,1,1,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,N,N,N,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,DV,,,,
"2010-02-10 00:00:01",high,192.168.0.2,tcp,3306,node02.example.com,mysql,,64512,ZZ,Region,City,0,certificate,"Retail Trade",10,5.5.5-10.4.30-MariaDB-log,1,1,1,Y,Y,Y,Y,Y,Y,Y,Y,N,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,N,N,N,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,unknown,,,,
"2010-02-10 00:00:02",high,192.168.0.3,tcp,3306,node03.example.com,mysql,,64512,ZZ,Region,City,0,,,10,5.7.43-log,1,1,1,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,N,N,N,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,,Y,unknown,,,,

Our 131 Report Types

« Back to Network Reporting