Over 3.6 million exposed MySQL servers on IPv4 and IPv6

May 31, 2022

Introduction

We recently began scanning for accessible MySQL server instances on port 3306/TCP.  These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single Autonomous System).

IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide.

While we do not check for the level of access possible or exposure of specific databases, this kind of exposure is a potential attack surface that should be closed.

Data on the accessible MySQL instances is shared in the Accessible MySQL Server Report.

How we scan 

We scan by issuing a MySQL connection request on port 3306/TCP and collecting server responses that respond with a MySQL Server Greeting. This includes both TLS and non-TLS responses. We do not perform any intrusive checks to discover the level of access to any databases that is possible.

Aside from all of IPv4 space, we also scan IPv6 based on hitlists collected from various sources.

You can replicate our query with an nmap mysql-info scan: https://nmap.org/nsedoc/scripts/mysql-info.html

Results

Total MySQL population found (i.e. includes both those that deny a connection – er_host_not_privileged – and those that allow for one):

IPv4: we find a total population of MySQL servers on port 3306/TCP to be 3,957,457 (scan from 2022-05-26).

IPv6: (hitlist bases scanning): we find a total population of MySQL servers responding on port 3306/TCP to be 1,421, 010 (scan from 2022-05-26).

Total accessible MySQL servers found (ie. those that allow for a connection and respond with a Server Greeting):

IPv4: we find 2,279,908 MySQL servers on port 3306/TCP responding with a Server Greeting (scan from 2022-05-26).

1,117,659 have TLS support, 1,163,249 do not.

IPv6: we find 1,343,993 MySQL servers on port 3306/TCP responding with a Server Greeting (scan from 2022-05-26).

38,198 have TLS support, 1,307,795  do not.

Overall, for 67% of all MySQL services found are accessible from the Internet (IPv4 and IPv6).

Accessible IPv4 MySQL server country breakdown

Most accessible IPv4 MySQL servers by country are as follows: United States (740.1K), China (296.3K), Poland (207.8K) and Germany (174.9K).

Accessible MySQL servers by unique IPv4 (2022-05-26)

Country-level breakdown of accessible MySQL servers by unique IPv4 (2022-05-26)

Accessible IPv6 MySQL server country breakdown

Most accessible IPv6 MySQL servers by country are as follows: United States (460.8K), Netherlands (296.3K), Singapore (218.2K) and Germany (173.7K).

Accessible MySQL servers by unique IPv6 (2022-05-26)

Country-level breakdown of accessible MySQL servers by unique IPv6 (2022-05-26)

Please note that for IPv6, the vast majority are in a single AS.

MySQL Top 10 IPv4 version breakdown:

Version Count
5.7.33-36 150600
5.6.41-84.1 92834
5.7.23-23 69627
5.7.38-0ubuntu0.18.04.1 59333
5.6.51-cll-lve 58825
8.0.23 57148
5.5.68-mariadb 55401
5.6.50-log 54574
5.5.5-10.1.48-mariadb 40853
5.7.33-log 35809

 

MySQL IPv6 version breakdown:

Version Count
5.5.5-10.5.12-mariadb-cll-lve 908128
5.7.37-40-log 147072
5.5.5-10.5.13-mariadb-cll-lve 125320
5.5.5-10.5.15-mariadb-cll-lve 72856
8.0.27-18 20838
5.5.5-10.3.32-mariadb-log 11121
5.7.35-38 6640
5.5.5-10.5.15-mariadb-cll-lve-log 3435
5.7.23-cll-lve 2085
5.7.33-cll-lve 1993

Mitigation

It is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface). If you do receive a report on your network/constituency take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server.

MySQL has a MySQL 5.7 Secure Deployment Guide and  MySQL 8.0 Secure Deployment Guide.

Subscribe to get free data on accessible MySQL instances in your network or constituency!

Details about the format of the new report being shared can be found in the Accessible MySQL Server report. If you are an existing subscriber you will get the report daily should any IP be found in your network/constituency. This applies to both the IPv4 and IPv6 version of the reports.

If you are not already a subscriber to Shadowserver’s public benefit daily network reports and would like to receive this new report and our other existing report types (covering not just other scan results, but observations from sinkholes, honeypots, darknets, sandboxes, blocklists and other sources), then please sign up to our free daily public benefit network remediation feed service.

For more information on our scanning efforts, check out our Internet scanning summary page.

For any questions, please contact us.

Recent Articles