Mysql.com Hacked, Made To Serve Malware

Orome1 writes "Mysql.com was compromised today, redirecting visitors to a page serving malware. Security firm Armorize detected the compromise through its website malware monitoring platform HackAlert, and has analyzed how the compromise of the site's visitors unfolded. The mysql.com website was injected with a script that generates an iFrame redirecting the visitors to a page where the BlackHole exploit pack is hosted." According to Brian Krebs, the exploit used to compromise the site was being shopped around last week for $3,000.

I, for one,

Blame Oracle.

Re:I, for one,

[Trilkin]

Nah, it's just the Russians again. It isn't Anonymous trying to make it a point this time around, unfortunately.

Re:I, for one,

I for one blame poor security.

Re:I, for one,

So where is the database you wrote then, hot shot?

Re:I, for one,

Dude, you really have never heard of LBD? (Larry Bagina Database)

Re:I, for one,

I always thought that LBD was Larry Bagina Disease. I guess, subconsciously, I was afraid to know more. Database, huh? It's not contagious, is it?

Re:I, for one,

It was some Aussie "researcher"

Re:I, for one,

Database, huh? It's not contagious, is it?

Apparently not, no one is using it.

Re:I, for one,

What do you mean just the Russians? Some of my x-colleagues are working in Oracle. They remotely write code for Oracle department in St. Petersburg. And it's russian hacker and russian reseacher in this story: http://blog.trendmicro.com/underground-radar-possible-compromise-of-mysql-com-and-its-subdomains/

I would rather say it's Fedora again. (FC11 unsupported release.) All recent hacks were made on Fedora. It's an especially bad distro for enterprise for two reasons: the last versions are too unstable, the older versions have to short support period.

Re:I, for one,

[JonJ]

The fuck are you doing running Fedora in a enterprise environment?

Wait, let me get this straight

[blair1q]

Someone, a week ago, before anything bad actually happened, was openly selling the fact that mysql was cracked, and anyone seeing the ad knew it, but HackAlert is taking credit for "discovering" the cracking after something bad actually happened?

How about if HackAlert, instead of crawling the web looking for whatever pattern of deviation defines its detection of a hack, crawls the blackhat markets for ads for open access to presumed secure sites.

If they aren't doing that already, and crocking their detection speed...

[generic topic]

little Bobby Tables is disappointed.

No user interaction

[Synerg1y]

If the website redirects to an iframe (I thought these got phased out in like HTML4???) and tries to install malware, and there is no user interaction involved... what exactly is the browser doing?

Being really stupid...
http://antivirus.about.com/od/virusdescriptions/p/Blackhole-Exploit-Kit.htm

On that note, noscript, greasemonkey w/ script, and any addon that allows the blocking of the iframe tag should keep you safe, but then again how often do you visit mysql.com? :)

Re:No user interaction

[Synerg1y]

Forgot to mention TOR blocks these kinds of redirects.

Re:No user interaction

[LordLucless]

If the website redirects to an iframe (I thought these got phased out in like HTML4???)

You're thinking of framesets. Iframes are used far, far more now in conjunction with AJAXy stuff and embedding third-party crap than they were last decade.

More details on the exploit specifics?

[ThisIsSaei]

If SQLi took down MySQL there's a pun about "hackception" here somewhere.

Re:More details on the exploit specifics?

[VJmes]

We need to go deeper...

Seriously though, this looks like the work of someone who found the root login prompt and then proceeded to guess/bute-force the password.

Re:More details on the exploit specifics?

[Robert+Zenz]

I hate to spoil the fun, but...

Already Fixed

[InvisibleSoul]

http://www.pcworld.com/businesscenter/article/240609/mysqlcom_hacked_to_serve_malware.html Article says the site was already fixed as of 11am PST.

Re:Already Fixed

PDT. The Pacific time zone is all still on Daylight Time.

Re:Already Fixed

[sphix42]

Yea, as good an idea as it is to send more traffic to a hacked site, I appreciate /. handling. And since it's fixed and after 5 on the east coast that means a lot of dumb users won't deliberately go to a hacked site. That isn't to say the east coast is sub-prime, there's just a higher density.

lesson learned, don't expose mysql over the intern

I can only assume that mysql.com was running whatever raw sql queries the browser was submitting, but did you know that you can actually rewrite these to include a semicolon (terminating the query) and then whatever new query you want? Obviously, you can't rely on nobody thinking to do this, and the fact that mysql was hacked is just evidence that you should not expose mysql over the Internet.

Watch the video on the page, informative

[mrflash818]

I watched the video on the page, showing the step-by-step of the exploit working, and the trace of what it did.

Informative and interesting.

Seems if a person did _not_ have java enabled in their browser, then the attack would have failed.

Re:Watch the video on the page, informative

[mclearn]

I believe it was a multi-tiered attack in that Java, Flash, and PDF exploits were all tried. What is shown in the video is that the Java attack was successful.

Re:Watch the video on the page, informative

[rodgster]

A while back, I decided I don't need java, adobe acrobat or flash on my work machines (too much attack surface).

Re:Watch the video on the page, informative

[Gadget_Guy]

A while back, I decided I don't need java, adobe acrobat or flash on my work machines (too much attack surface).

My philosophy is that you disable/uninstall everything and the switch it back on when you need it. Sometimes it is a pain, but it is better than browsing the net with a big "kick me" sign on your virtual back.

I found it strange that the Krebs on Security site linked in the summary would state that we should avoid using Java for security reasons, but then assume that we would be able to view an embedded youtube video on his page. Surely anyone interested in security would just link to the youtube page rather than hope we all allow flash to run on unknown websites.

If I hacked a website, and knew that it would eventually be exposed, I would announce the infection myself with a helpful flash video that was also a virus exploit. You could double the infection rate with such a scam.

Re:Watch the video on the page, informative

He says to avoid using java. You don't need java to view the youtube video, it uses javascript. Apples and oranges.

Re:Watch the video on the page, informative

[Gadget_Guy]

You don't need java to view the youtube video, it uses javascript.

It actually required Adobe Flash in my browser. All I got was a black square because I locked down my security settings to only allow Flash on whitelisted sites.

I was not suggesting that YouTube uses Java, but that his comment was an indication that we should eliminate use of software with known security problems and that expecting his audience to run plug-ins on his site went against his advice. I should have been more clear about that point.

All he needed to do was include a link to the YouTube page along with the embedded video so that people who care about security could see the video without having to view the source to grab the address.

Re:Watch the video on the page, informative

[Gutboy]

Good thing HTML5 won't need all those things to run code on your machine.

Re:Watch the video on the page, informative

[ttong]

That's odd, I was able to view the video in perfect webm just fine without having anything Adobe installed.

http://www.youtube.com/html5

Also, if you're on MS-Windows and using Oracle Java JRE, you can remove webstart and the netscape/msie plugins after install. To check, visit about:plugins or Plugincheck Make sure jnlp files are opened with notepad and jar files with an archiver (or anything except "java.exe -jar"). Any programs written in Java you've installed will still work.

Re:Watch the video on the page, informative

[lamber45]

If you can do that, more power to you. In my case, I need the Java plugin for a number of core work functions:

• The corporate expense-reporting application
• The desktop/webcam/slide-sharing portion of the corporate standard audio/video-conferencing platform
• The corporate standard e-learning platform (which was used to deliver "data security and privacy" training 4Q last year)
• The download-assistant at the internal site where I obtain official copies of our software products (customers use a different interface to the same site, with the same Java applet to download "images")
• The drag-and-drop-to-upload function of one of our document-management products

My employer is a Java licensee, we have our own VM, I would hope that makes our Java plugin less vulnerable.

I might be able to get away with disabling the Acrobat plugin, but I need some sort of PDF viewer because a lot of the documents I have to read are only available to me in PDF. I might be able to get away with disabling Flash, although other divisions' salesmen have been publishing some videos they want me to watch on YouTube, and the old version of a system I'm helping write a replacement for uses Flash on its front page. (You didn't mention QuickTime, but the above-mentioned audio-video-conferencing platform exports recorded conferences as either QuickTime or Windows Media, which means I need a player for at least one of those formats.)

I guess I could run a pluginless browser (say Konqueror?) in a low-privilege account in a VM, or on a remote server, and use only that to access third-party vendor and customer websites... but Java was supposed to solve the "running code in a browser" problem when it first came out, right?

Really this is a black mark for Oracle, even though they didn't write the MySQL database: they've been owners of that website for over a year now, and they were selling "unbreakable Linux" way before that; what kind of system-administration process is in place that allows an unknown party root access to one of a company's high-profile front pages?

Re:Watch the video on the page, informative

I'd assume someone as security conscious as you would have already opted in to the html5 trial on youtube.

Re:Watch the video on the page, informative

[Gadget_Guy]

I'd assume someone as security conscious as you would have already opted in to the html5 trial on youtube.

Actually, I consider HTML5 video to be an immature and untrusted entity. The authors of browser plug-ins could not write secure code, so there is no reason that browser writers should not give us exploitable bugs too. Just because the video is part of the HTML language does not instantly make it safe.

It may prove to be fine eventually, but it is still something that would not instantly trust to every single website I happen to come across. Besides, I prefer my webpages to stay still.

Re:s/hacked/cracked/

[afabbro]

All three members of the FSF appreciate the correction.

Re:Browser Java Plugin

[logjon]

If you've disabled plugins, then how would you be compromised by that plugin?

Nobody said MySQL was cracked

[MacGyver2210]

Someone was shopping around the exploit used to hack the company's website - I am sure it had little to do with MySQL software unless it was an injection that got them access to change the site.

Re:Nobody said MySQL was cracked

[EdIII]

I am sure it had little to do with MySQL software unless it was an injection that got them access to change the site

No, it wasn't anything to do with a SQL injection attack. Levels of Irony that high actually warp space/time and I am sure some scientists would have registered it somewhere and reported it.

Re:Nobody said MySQL was cracked

[blair1q]

From the bottom link I got that the ad mentioned mysql. Maybe I misread it.

Nope.

The seller, ominously using the nickname “sourcec0de,” points out that mysql.com is a prime piece of real estate for anyone looking to plant an exploit kit: It boasts nearly 12 million visitors per month — almost 400,000 per day — and is ranked the 649th most-visited site by Alexa (Alexa currently rates it at 637).

He offered to sell remote access to the first person who paid him at least USD $3,000, via the site’s escrow service, which guarantees that both parties are satisfied with the transaction before releasing the funds.

He'd opened that site up and was selling the access to it.

My question is, why is mysql.com's traffic that high?

oh great

Now instead of serving malware directly it redirects to a site serving malware.

Obligation

[Fnord666]

The disclosure caught my eye because just a few days ago I saw evidence that administrative access to mysql.com was being sold in the hacker underground for just $3,000.

At what point should Mr. Krebs have felt some sort of obligation to inform the owners of mysql.com that their root login was being actively shopped?

Re:Obligation

[Qzukk]

When mysql.com's admins offer to pay him $3050 so he'd make a profit?

Re:Obligation

As someone who's done ... even... gentle research. I hate to say...I resent the implication of your comment.

It's mysql, so they aren't exactly a bunch of clowns... but the moment you tell people--you get suspicion thrown on you. If you tell them anonymously, you get *even more* suspicion thrown on you. For further examples, you need only look at the classic tuttle/centos story...
http://www.theregister.co.uk/2006/03/24/tuttle_centos/ . Now imagine what happens if you /actually/ report a real issue.

As somebody who feels *fortunate* to have not been investigated in the past due to no small measure of proxy use--I have to say...by asking Krebbs to disclose this, you're asking him to accept undue risk. The last time I reported a /large/ issue with a private server, the server I used was scanned within 50 minutes from IP's originating within the FBI. Sorry... fuck you all--there's no free advice given ever again.

Quite frankly, other people's problems aren't our job. They nearly aren't our business either save when they lie and advertise they're safe and there's a client curious, or we're looking to spot something... At which point they can pony up for the advice like every other consumer in the market.

TLDR: There is no obligation. It's at best a generous act of good will that most people really don't deserve anyway.

Re:Obligation

So "two wrongs make a right" is your motto? Amazing. Because "some people" have been asses at some points in time, your response is to be an ass to everyone else as well? Yay for perpetuating the problem...

Re:Obligation

And that, kids, is what you call a dick.

Re:Obligation

You are asking a reporter (that is in no danger) to report a crime in progress - when said reporter has plans to profit from a story that they plan to write on said crime later?

Yes. Hellaciously run on...

Isn't it bit naive of you to think that someone would report a felony instead of acting to profit off of it?

Re:Obligation

Gee - I can't imagine why you would ever have suspicion thrown over you.

TLDR: There is no obligation. It's at best a generous act of good will that most people really don't deserve anyway.

Why does that sound to me like "she fucking deserved it - going out dressed like that?!"

Re:Obligation

[mug+funky]

no, it's like a passer-by telling someone leaving their car that the door is unlocked, then getting stabbed by that person.

it's gotta be a car analogy.

also, don't confuse rape with software. it's sorta like Godwinning.

Re:Obligation

If inaction is a wrong, then I guess two wrongs do make a right for the person trying to avoid the probability of further incoming wrong.

At least, as far as myself and any decent lawyer might be concerned.

Why should I potentially incur tens or hundreds of thousands of dollars in legal fees to protect someone else from their mistakes? There is no good samaritan protection in cyber-space.

Why would I want to risk all my home or business computers getting confiscated and slowly searched just to point out to somebody that they're serving cleverly disguised malware in their adfarm when there's /no/ personal benefit and /everything/ to lose? Or am I going to get my laptop and backups back when I complain it will make two contracts late...?

So yes, because some people are asses, my response is to look out for myself first.

It isn't dickishness--it's a rational, reasoned, measured response to the problems inherent in the criminal and civil systems.

Is it a bit mercenary of me to say they can pony up like everybody else... absolutely. But people have known about security issues for the past twenty years. I'm not doing any of my colleagues any favors by giving services away for free. Hell, there's off-the-shelf scanners that could've caught that. Somewhere, there's probably a cloud service that costs less than $30 a month.

While I have met hundreds of people that don't know how to lock down a network (much less an entire application stack)--I've only met maybe a dozen people that aren't *cheap*. And most of them are time frugal.

If you think that's the equivalent of corporate slut-shaming, you miss the point. Given most victims tend to be cheap and not wanting to spend time--they can very well decide that the most expeditious route is a legal fishing expedition to try to get insurance to cover an incident with their newfound likely candidate. Even if nothing comes of it, they still stand to gain in publicity by immediately announcing a suspect and positive news to keep stock from dropping... and when charges are dropped two months later, the media no longer remembers. One more reason to /never/ deal with the mega corps--throwing 100k in lawyers at you is cheaper than taking a $0.25 share price hit if they don't like an announcement you posted.

It's not the MySQL had it coming. It's that Krebbs made the right call in modern society by choosing to mitigate his exposure to very possible hostile reactions.

You want to change my attitude...keep working to change the world. Maybe someday I'll feel safe being helpful again. Until then--stay off my lawn.

Re:Obligation

Two wrongs don't ever make a right. You need three lefts to make a right.

Re:Obligation

More like fool me once shame on you...

Re:Obligation

Just because you've watched a few episodes of NCIS doesn't mean you sound credible when talking about infosec.

In other words: stfu.

Re:Obligation

It's mysql, so they aren't exactly a bunch of clowns...

Excuse me?

Re:Obligation

[thunderclap]

No, reporting the issue gets you assumed to be the problem and scanned by the FBI.

Re:Obligation

[quacking+duck]

More like an adult male passerby noticing a young girl playing near a dangerously fast-flowing river, but choosing not to intervene because the risk of being accused of a child molester or attempted abductor is too great (tell her it's dangerous and to move away from the river, and she'd run off screaming to her distant parents that there's a big bad man trying to kidnap her). After that, good luck proving that she *would* have fallen in if he hadn't intervened.

Sadly, this exact scenario happened in the UK a few years back--the girl fell in and drowned shortly after the man walked away. And the guy got roasted for not intervening. Damned if you do, damned if you don't.

Re:Obligation

Umm, while trying to be generous you are brought up under investigation, have your name drug through the mud publicly (making it hard to find a job in the future), and will get to possibly experience our wonderful pleabargaining system we have the US? You live in a fantasy world where "good" outweighs whatever the cost is. Meanwhile in the real world, we have wised up and stopped being suckers. The GP is right.

Re:Obligation

Man, I really hope you're not one of my friends...

Re:Obligation

Forget to take your meds today "Captain Paranoid"? Yes obviously, what with your conspiracy theorist viewpoint. Now go take your meds and shut the fuck up.

Re:Obligation

Forget to take your meds today "Captain Paranoid"? Yes obviously, what with your conspiracy theorist viewpoint.

Oh shit, you're right! Now that I've taken my meds, I see the truth: he's not an asshole who didn't warn the site admins because he couldn't make a quick buck from it, he's just an asshole who didn't warn the admins for no reason at all.

And yes, I did see your little rant about how you wouldn't do anything because the men in black will probe your proxies seconds after you notify someone about an exploit. Thanks for letting me bum a few pills off you.

One thing for sure...

[Tasha26]

I ain't taking any security certification from them... the MySQL 1&2 was enough.

inevitable

[sjames]

It was really just a matter of time before Oracle started trying to force MySQL users to move to their expensive proprietary solutions. It just happened a bit....What's that? ........

Oh, NEVERMIND!

Re:inevitable

[lennier1]

It was really just a matter of time before Oracle started trying to force MySQL users to move to their expensive proprietary solutions.

The one where you need to add additional objects to the database just to auto-increment a fucking primary key?

MySQL hack...

[InitHello]

I would laugh (hard) if the exploit involved SQL injection.

Re:MySQL hack...

[styrotech]

Nah, that would be more appropriate if (just for example) Hibernates website was exploited via SQL injection.

SQL injection isn't generally regarded as a database flaw.

Re:MySQL hack...

[Bill,+Shooter+of+Bul]

Yeah, but you'd think a database company with SQL in its name would be aware of common intrusion attempts using SQL.

Re:MySQL hack...

[lennier]

SQL injection isn't generally regarded as a database flaw.

It should be. The design of SQL itself promotes injection attacks. A decently secure database wouldn't support plain-text SQL query strings as an API.

Even a simple S-expression translation of SQL using parentheses instead of quotes would be more secure, because you could verify that the parens balanced before accepting an expression. SQL's syntax is an artifact of the 1970s COBOL-era idea that "if a mathematical expression sort of looks halfway like English, it will be simple to use". In fact, it isn't, and all we got was a half-baked syntax that isn't either mathematically elegant or linguistically intuitive.

If we keep propping up broken interfaces, like an abused spouse making apologies for the drunken rages, we'll keep getting hurt. It's time we did the right thing and moved on.

mysql.net

[crutchy]

... has been hacked by Amazon

slashdot frenzy erupts in 3... 2... 1...

Re:s/hacked/cracked/

That's GNU/Cracked, thank you.

Re:Just like before

[slydder]

Sorry, did I miss something here? Could you please elaborate on your claim? I would be most interested to learn how MySQL does not qualify as an SQL RDBMS.

And as for your link. It even states that MySQL is one of the actual SQL RDBMS' available and not a noSQL sysstem.

HTML5, active content

You are so damn right that it ain't funny anymore.

Why is it that this W3C thing is pushing active content upon users, in spite of knowing better.

"Yes, yes, we have a sandbox, therefore we are secure!" is the stupid phrase I'm tired of hearing since the first days of the Java Virtual Machine.

Sandbox, my ass.

oF COURSE IT IS wIdDoZE MALWARE

Just quit using Mickey$ofts CRAPWARE.

Re:lesson learned, don't expose mysql over the int

[thunderclap]

just wanted to make a dirty joke about exposing mysql over the intern but it was lost.

MySQL hack

[m1ndcrash]

Truth be told it has started with a SQL-injection a few months ago and there was a web-shell available in semi-private access. Just recently the sourcec0de (newly registered member of an underground forum) posted that he sells the root shell for mysql.com. The kernel was pwned with a local exploit. The attacker also claimed that he modified the back-ups which I don't really believe.
Now, that fool who spent $3k and put BlackHole exploit kit directly (well with one redirect) seems to have no understanding of how to convert traffic or what to do with such a valuable item as mysql.com. (next time put backdoors into sources and use TDS before using an exploit kit, n00b)
I mean come on, the malware wasn't FUD (4/34). On a website with this amount of traffic it will be detected (and it was) within hours if not minuets.
This situation shows again that sysadmins shouldn't be lazy and do their jobs... http://www.habrastorage.com/images/msqlrootsa.png screenshot of the forum post.

Merger

Mysql serving malware, I don't see how's that news.
The Oracle merger is months old already...

Moncler Sale

[mocnler+jacket+]

He’s no longer a fetus. Republicans only care about you before you’re born. http://www.coolmonclerclothing.com/