MySQL.com hacked to serve malware
Security firm Armorize reports that Oracle's MySQL.com web site was hacked to serve Windows malware on 26 September. The attackers modified the JavaScript file "common/js/s_code_remote.js" on the server; this file is downloaded with all pages on MySQL.com. The modified version created an iFrame which then loaded the "Blackhole exploit pack". The exploit pack in turn uses vulnerabilities in older browsers or unpatched versions of Flash Reader and Java to compromise Windows systems and allow the installation of back-doors, bots and other contaminants.
The problem was noted at 1pm UK time and was cleaned up by 7pm the same day. How long the malware was online is unknown; Oracle is still investigating and is yet to comment on the breach. The MySQL site has around 400,000 visitors every day and so it is likely that several thousand users will now have infected systems.
According to security journalist Brian Krebs and Trend Micro, access credentials for a root account on the MySQL servers appeared to have been offered last week on Russian underground forums for $3,000. The seller, going by the name 'sourcecOde', had posted evidence that he had root access to the servers. Whether this was how the malware poisoners gained access or if there was another route to compromising the MySQL.com servers is currently unknown.
This is the second security incident this year on the MySQL site; in March a hacker was able to access data using an SQL Injection vulnerability.
(djwm)