– in ur mysql, checking ur… mysql.

Check out this website by Mark Wickendam.

Let it be said first up that I think this site is awesome. I lol’d hard, visited it again, lol’d hard again, and so on.

As one of the guys behind (a legit site and I suspect one of the butts of the joke made by MySQLCheck) I’d like to offer a brief counterpoint… I’m going to assume that this post will mostly get read by security folks so that is my intended audience (although I encourage your to read on even if you’re not…):

Here’s the deal… If your daemon/service/vulnerable-thingy is exposed to the public Internet the bad guys and their evil bots already know it’s there.

If for some reason the bad guys don’t know its there they are able to (and going to, especially after a juicy vulnerability like CVE-2012-2122 comes out) find it – and that without going to the hassle of building a malicious “test-thyself” website to harvest details. Sure, there is extra data that can be harvested and used to prfioritize targeting (think: a correlated .mil email with a vulnerability might receive special attention), but with it comes the extra effort of the build and a greatly multiplied risk of being caught.

There are much quicker way to collect targets… and you’ve saved yourself the hassle of marketing your damn website which you’ve built but no-one seems to be visiting.

If you have MySQL open to the public Internet you’ve automatically failed Infrastructure Security 101 and by extension you are likely not to fare too well in Patching 101. If, as an admin, you hear about a bug like this and your first response is to visit an untrusted third party website that you saw someone tweet about to assess your security posture then you are probably in need of some help…


That’s why I think these types of self-serve security audit sites are useful and have their place for ‘getting the word out to the admin who has no idea how big his problem is’.

These sites generate publicity around an issue that would otherwise stay inside the security echo chamber… mostly because they offer something for nothing (which, not coincidentally, is the same social phenomenon that scammers have learnt to leverage with great effect).

THAT SAID… I absolutely agree with Mark that there needs to be a better way to get this information into the hands of people who need it. RDPCheck was helped along with ‘attributed trust’ from the the spruiking it got from the tech media in .au and some reasonably credible Twitter types – but the simple fact is we could have been doing ANYTHING with that data…Food for thought.