Compromised & Spreading Malware

Find your website's Achilles' Heel

The latest story doing the rounds is that got hacked and was serving malware which put it on the Google malware block list.

It appears to be in the clear now though and it’s accessible again via Google. It seems to be a similar case with that of the recent and hacks – in which the sites were compromised via developers who had access.

In this case it seems was compromised by malware that spreads itself via FTP from client machines, it then uploads malicious JavaScript to any sites the client machine has access to and propagates malware using those sites.

Hackers recently compromised the website hosting the open-source MySQL database management system and caused it to infect the PCs of visitors who used unpatched browsers and plug-ins, security researchers said. was infected with mwjs159, website malware that often spreads when compromised machines are used to access restricted FTP clients, a blog post from Sucuri Security reported. The hack caused people visiting the site to be redirected to a site that attempted to install malware on visitors’ computers using code from the Blackhole exploit kit, separate researchers from Armorize said.

“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” Armorize researchers warned. “The visitor doesn’t need to click or agree to anything; simply visiting with a vulnerable browsing platform will result in an infection.”

Officials with the Oracle-owned MySQL didn’t respond to email seeking comment for this post.

I would say is a fairly high traffic site so this attack may have triggered a fair amount of infections – especially if the people visiting were using outdated versions of Windows or old versions of Internet Explorer.

But then again, I’d find that fairly unlikely – people browsing to the site of the #1 Open Source RDBMS would most likely be using Linux, or fully updated Windows systems with Chrome or Firefox.

That’s what I’d like to think anyway…

The reported breach is the latest to affect the distribution system for a widely used piece of open-source software. The and websites used to develop and distribute the Linux operating system remain inaccessible four weeks after it was infected with malware that gained root access, modified system software, and logged passwords and transactions of the people who used them. Representatives haven’t said when they expect the sites to be operational again.

Besides sullying the reputation of open-source software as more secure alternative to competing applications from Microsoft and other for-profit companies, the compromises have sparked concerns about the purity of the code the sites host. If attackers were able to secretly alter the code with backdoors, they could potentially surveil or gain control over sensitive networks that rely on the applications.

In the hack, the attackers appear to have aimed for the less ambitious goal of infecting the desktop machines of those who visited the site. At time of writing, just five of the top 44 antivirus providers were detecting the threat, according to this analysis from VirusTotal.

Sucuri speculated the site was infected after a MySQL developer was compromised and had his password stolen.

It doesn’t seem to be as serious as the compromises as in this case it’s simply JavaScript uploaded via FTP from a developer account – the actual server hosting wasn’t really hacked and there was no root access gained.

It seems like they have cleared the infection up now, I wonder if they have any stats on how many people were effected by the malware?

Source: The Register

Posted in: Database Hacking, Exploits/Vulnerabilities

, , , , , , , , , ,

Recent in Database Hacking:
- BBQSQL – Blind SQL Injection Framework
- DBPwAudit – Database Password Auditing Tool
- VTech Hack – Over 7 Million Records Leaked (Children & Parents)

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 77,403 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,563 views
- SQLBrute – SQL Injection Brute Force Tool - 41,611 views

One Response to Compromised & Spreading Malware

  1. XiX October 6, 2011 at 8:56 pm #

    source compromise maybe?