Millions of MySQL Servers Exposed

By Jack Wallen

More than 67% of all MySQL services have been found to be accessible from the internet.

The Shadow Server Foundation recently reported that over 3.6 million MySQL servers are publicly exposed. This started with the research group began scanning for accessible MySQL instances over port 3306. The results of their scan turned up 2.3 million IPv4 addresses and 1.3 million IPv6 addresses responded to the query. Those accessible servers responded with a Server Greeting.

Although the researchers did not check for the level of possible access or database exposure, this is still an important attack surface that must be closed. The most widely used version of MySQL with the vulnerable attack surface (associated with IPv4 addresses) was found to be 5.7.33-36, whereas the IPv6 addresses showed version 5.5.5-10.5.12 was the most widely accessible.

The most important thing admins can do to avoid potential issues is to disallow external connections from the internet to your MySQL server.

For anyone wanting to replicate their scans (to see if your MySQL servers can be accessed from the internet), you can use the nmap command, nmap -sV -sC SERVER (where SERVER is the IP address or domain of your MySQL server). It is also advisable that you always keep your MySQL servers up to date.