Lord777
Professional
- Messages
- 2,578
- Reaction score
- 1,520
- Points
- 113
MySQL is not ready for a new DDoS bot.
AhnLab has detected attacks on vulnerable MySQL servers using the Ddostf bot for DDoS attacks. Ddostf, first identified in 2016, supports both Windows and Linux and was supposedly developed in China. AhnLab observes constant attacks on MySQL servers running in a Windows environment.
The Ddostf DDoS bot has ELF format for Linux environments and PE format for Windows. A distinctive feature of Ddostf is the presence of the string "ddos.tf" in its binary code. At startup, Ddostf copies itself to the "%SystemRoot%" directory under a random name and registers itself as a service.
The Ddostf bot is installed via the MySQL service
After the first connection, the bot collects basic data from the infected device and transmits it to the Command and Control server (C2), which in response sends data, including the download URL and commands for certain DDoS attack methods.
Ddostf uses attack methods such as SYN flood, UDP flood, and HTTP GET/POST flood. In addition, Ddostf can establish a connection with new addresses received from the C2 server and execute commands within a certain time, which indicates the possibility of mass infection of systems and subsequent sale of DDoS attacks as a service.
Attackers usually use scanning to find potential targets, especially systems that use port 3306 / TCP, which is used by MySQL servers. Cybercriminals can then attack the system using brute-force attacks or brute-force attacks.
If the system does not properly manage user credentials, attackers can gain access to administrator accounts. Vulnerabilities in non-updated software versions can also be exploited.
AhnLab has detected attacks on vulnerable MySQL servers using the Ddostf bot for DDoS attacks. Ddostf, first identified in 2016, supports both Windows and Linux and was supposedly developed in China. AhnLab observes constant attacks on MySQL servers running in a Windows environment.
The Ddostf DDoS bot has ELF format for Linux environments and PE format for Windows. A distinctive feature of Ddostf is the presence of the string "ddos.tf" in its binary code. At startup, Ddostf copies itself to the "%SystemRoot%" directory under a random name and registers itself as a service.

The Ddostf bot is installed via the MySQL service
After the first connection, the bot collects basic data from the infected device and transmits it to the Command and Control server (C2), which in response sends data, including the download URL and commands for certain DDoS attack methods.
Ddostf uses attack methods such as SYN flood, UDP flood, and HTTP GET/POST flood. In addition, Ddostf can establish a connection with new addresses received from the C2 server and execute commands within a certain time, which indicates the possibility of mass infection of systems and subsequent sale of DDoS attacks as a service.
Attackers usually use scanning to find potential targets, especially systems that use port 3306 / TCP, which is used by MySQL servers. Cybercriminals can then attack the system using brute-force attacks or brute-force attacks.
If the system does not properly manage user credentials, attackers can gain access to administrator accounts. Vulnerabilities in non-updated software versions can also be exploited.