Translate: 
EnglishFrenchGermanItalianPolishPortugueseRussianSpanish

MySQL.com website hacked and used to serve malware

A site that offers “the most popular open source database” and boasts nearly 12 million visitors per month (almost 400,000 per day), is therefore an ideal tool to spread malware.

Yesterday hackers had installed JavaScript code on MySQL.com site that performed a variety of known browser attacks at visitors to the site, so those with out-of-date browsers or unpatched versions of Adobe Flash, Reader or Java on their PCs could have been infected with malicious software.

Details

Attackers used a BlackHole exploit kit, an automated exploit toolkit that probes visiting browsers for a variety of known security holes. Unfortunately, the Armorize team had not yet figured out what the malicious software that it installed was designed to do.

Only 4 out of 44 anti-virus programs could detect this malware – said Wayne Huang, Armorize’s CEO.

MySQL.com rooted - anti-virus report

He thinks the malicious code was on the site for 7 hours, before the issue had been cleaned up by the Oracle team. If that’s accurate, that was enough time for approximately 120,000 Internet users to browse the site and expose their systems to the exploit kit.

This attack may be connected with a user of one of the blackhat underground forum with the handle ‘sourcec0de‘, who was offering root access to some of the cluster servers of mysql.com and its subdomains (see the screenshot taken by a TrendLabs researcher):

MySQL.com rooted

Summary

Highly trafficked open-source websites such as MySQL.com have been hit very hard in recent months. In the past weeks the Linux Foundation was forced to take a number of websites offline, including Kernel.org repositories.

You can see a detailed description of the attack in this article.

Leave a Reply