Rule: -- Sid: 1776 -- Summary: This event is generated when an attempt is made to use the MySQL 'show' command to garner a list of databases. -- Impact: Intelligence gathering. This may be the prelude to an attack against one the databases or the MySQL daemon. -- Detailed Information: This event is generated when the MySQL command 'show' is used to garner a list of MySQL databases being served by the MySQL daemon. This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. -- Attack Scenarios: A MySQL implementation may inappropriately respond to connections from any host external to the protected network. The atttacker may be able to query the daemon to gain a list of databases available, then continue to garner information from the databases. -- Ease of Attack: Simple. -- False Positives: This event may be generated by a legitimate user making a query to a MySQL daemon from an external source. -- False Negatives: None Known -- Corrective Action: Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise Look for other events generated by the same IP addresses. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: --