Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mysql.com Hacked, Made To Serve Malware

Posted by Soulskill on from the high-profile-problems dept.

Orome1 writes "Mysql.com was compromised today, redirecting visitors to a page serving malware. Security firm Armorize detected the compromise through its website malware monitoring platform HackAlert, and has analyzed how the compromise of the site's visitors unfolded. The mysql.com website was injected with a script that generates an iFrame redirecting the visitors to a page where the BlackHole exploit pack is hosted." According to Brian Krebs, the exploit used to compromise the site was being shopped around last week for $3,000.

15 of 81 comments (clear)

  1. Re:I, for one, by Anonymous Coward · · Score: 3, Insightful

    I for one blame poor security.

  2. Wait, let me get this straight by blair1q · · Score: 2, Insightful

    Someone, a week ago, before anything bad actually happened, was openly selling the fact that mysql was cracked, and anyone seeing the ad knew it, but HackAlert is taking credit for "discovering" the cracking after something bad actually happened?

    How about if HackAlert, instead of crawling the web looking for whatever pattern of deviation defines its detection of a hack, crawls the blackhat markets for ads for open access to presumed secure sites.

    If they aren't doing that already, and crocking their detection speed...

  3. [generic topic] by Anonymous Coward · · Score: 4, Funny

    little Bobby Tables is disappointed.

  4. No user interaction by Synerg1y · · Score: 3, Interesting

    If the website redirects to an iframe (I thought these got phased out in like HTML4???) and tries to install malware, and there is no user interaction involved... what exactly is the browser doing?

    Being really stupid...
    http://antivirus.about.com/od/virusdescriptions/p/Blackhole-Exploit-Kit.htm

    On that note, noscript, greasemonkey w/ script, and any addon that allows the blocking of the iframe tag should keep you safe, but then again how often do you visit mysql.com? :)

    1. Re:No user interaction by LordLucless · · Score: 2

      If the website redirects to an iframe (I thought these got phased out in like HTML4???)

      You're thinking of framesets. Iframes are used far, far more now in conjunction with AJAXy stuff and embedding third-party crap than they were last decade.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  5. Already Fixed by InvisibleSoul · · Score: 3, Informative

    http://www.pcworld.com/businesscenter/article/240609/mysqlcom_hacked_to_serve_malware.html Article says the site was already fixed as of 11am PST.

  6. Re:Watch the video on the page, informative by mclearn · · Score: 4, Informative

    I believe it was a multi-tiered attack in that Java, Flash, and PDF exploits were all tried. What is shown in the video is that the Java attack was successful.

  7. Nobody said MySQL was cracked by MacGyver2210 · · Score: 3, Informative

    Someone was shopping around the exploit used to hack the company's website - I am sure it had little to do with MySQL software unless it was an injection that got them access to change the site.

    --
    If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
  8. Obligation by Fnord666 · · Score: 4, Insightful

    The disclosure caught my eye because just a few days ago I saw evidence that administrative access to mysql.com was being sold in the hacker underground for just $3,000.

    At what point should Mr. Krebs have felt some sort of obligation to inform the owners of mysql.com that their root login was being actively shopped?

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    1. Re:Obligation by Anonymous Coward · · Score: 4, Interesting

      As someone who's done ... even... gentle research. I hate to say...I resent the implication of your comment.

      It's mysql, so they aren't exactly a bunch of clowns... but the moment you tell people--you get suspicion thrown on you. If you tell them anonymously, you get *even more* suspicion thrown on you. For further examples, you need only look at the classic tuttle/centos story...
      http://www.theregister.co.uk/2006/03/24/tuttle_centos/ . Now imagine what happens if you /actually/ report a real issue.

      As somebody who feels *fortunate* to have not been investigated in the past due to no small measure of proxy use--I have to say...by asking Krebbs to disclose this, you're asking him to accept undue risk. The last time I reported a /large/ issue with a private server, the server I used was scanned within 50 minutes from IP's originating within the FBI. Sorry... fuck you all--there's no free advice given ever again.

      Quite frankly, other people's problems aren't our job. They nearly aren't our business either save when they lie and advertise they're safe and there's a client curious, or we're looking to spot something... At which point they can pony up for the advice like every other consumer in the market.

      TLDR: There is no obligation. It's at best a generous act of good will that most people really don't deserve anyway.

  9. MySQL hack... by InitHello · · Score: 3, Funny

    I would laugh (hard) if the exploit involved SQL injection.

    --
    If I hadn't been modded down, you'd be reading this right now.
  10. Re:Watch the video on the page, informative by Gadget_Guy · · Score: 2

    A while back, I decided I don't need java, adobe acrobat or flash on my work machines (too much attack surface).

    My philosophy is that you disable/uninstall everything and the switch it back on when you need it. Sometimes it is a pain, but it is better than browsing the net with a big "kick me" sign on your virtual back.

    I found it strange that the Krebs on Security site linked in the summary would state that we should avoid using Java for security reasons, but then assume that we would be able to view an embedded youtube video on his page. Surely anyone interested in security would just link to the youtube page rather than hope we all allow flash to run on unknown websites.

    If I hacked a website, and knew that it would eventually be exposed, I would announce the infection myself with a helpful flash video that was also a virus exploit. You could double the infection rate with such a scam.

  11. Re:Watch the video on the page, informative by Gadget_Guy · · Score: 2

    You don't need java to view the youtube video, it uses javascript.

    It actually required Adobe Flash in my browser. All I got was a black square because I locked down my security settings to only allow Flash on whitelisted sites.

    I was not suggesting that YouTube uses Java, but that his comment was an indication that we should eliminate use of software with known security problems and that expecting his audience to run plug-ins on his site went against his advice. I should have been more clear about that point.

    All he needed to do was include a link to the YouTube page along with the embedded video so that people who care about security could see the video without having to view the source to grab the address.

  12. Re:Watch the video on the page, informative by Gutboy · · Score: 3

    Good thing HTML5 won't need all those things to run code on your machine.

  13. Re:I, for one, by JonJ · · Score: 2

    The fuck are you doing running Fedora in a enterprise environment?

    --
    -- Linux user #369862