MySQL.com Compromised & Spreading Malware

Outsmart Malicious Hackers


The latest story doing the rounds is that MySQL.com got hacked and was serving malware which put it on the Google malware block list.

It appears to be in the clear now though and it’s accessible again via Google. It seems to be a similar case with that of the recent Linux.com and Kernel.org hacks – in which the sites were compromised via developers who had access.

In this case it seems MySQL.com was compromised by malware that spreads itself via FTP from client machines, it then uploads malicious JavaScript to any sites the client machine has access to and propagates malware using those sites.

Hackers recently compromised the website hosting the open-source MySQL database management system and caused it to infect the PCs of visitors who used unpatched browsers and plug-ins, security researchers said.

MySQL.com was infected with mwjs159, website malware that often spreads when compromised machines are used to access restricted FTP clients, a blog post from Sucuri Security reported. The hack caused people visiting the site to be redirected to a site that attempted to install malware on visitors’ computers using code from the Blackhole exploit kit, separate researchers from Armorize said.

“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” Armorize researchers warned. “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”

Officials with the Oracle-owned MySQL didn’t respond to email seeking comment for this post.

I would say MySQL.com is a fairly high traffic site so this attack may have triggered a fair amount of infections – especially if the people visiting were using outdated versions of Windows or old versions of Internet Explorer.

But then again, I’d find that fairly unlikely – people browsing to the site of the #1 Open Source RDBMS would most likely be using Linux, or fully updated Windows systems with Chrome or Firefox.

That’s what I’d like to think anyway…


The reported breach is the latest to affect the distribution system for a widely used piece of open-source software. The kernel.org and Linux.com websites used to develop and distribute the Linux operating system remain inaccessible four weeks after it was infected with malware that gained root access, modified system software, and logged passwords and transactions of the people who used them. Representatives haven’t said when they expect the sites to be operational again.

Besides sullying the reputation of open-source software as more secure alternative to competing applications from Microsoft and other for-profit companies, the compromises have sparked concerns about the purity of the code the sites host. If attackers were able to secretly alter the code with backdoors, they could potentially surveil or gain control over sensitive networks that rely on the applications.

In the MySQL.com hack, the attackers appear to have aimed for the less ambitious goal of infecting the desktop machines of those who visited the site. At time of writing, just five of the top 44 antivirus providers were detecting the threat, according to this analysis from VirusTotal.

Sucuri speculated the site was infected after a MySQL developer was compromised and had his password stolen.

It doesn’t seem to be as serious as the Linux.com/Kernel.org compromises as in this case it’s simply JavaScript uploaded via FTP from a developer account – the actual server hosting MySQL.com wasn’t really hacked and there was no root access gained.

It seems like they have cleared the infection up now, I wonder if they have any stats on how many people were effected by the malware?

Source: The Register

Posted in: Database Hacking, Exploits/Vulnerabilities

, ,


Latest Posts:


BootStomp - Find Bootloader Vulnerabilities BootStomp – Find Android Bootloader Vulnerabilities
BootStomp is a Python-based tool, with Docker support that helps you find two different classes of bootloader vulnerabilities and bugs.
Google Chrome Marking ALL Non-HTTPS Sites Insecure July 2018 Google Chrome Marking ALL Non-HTTPS Sites Insecure July 2018
Google is ramping up its campaign against HTTP only sites and is going to mark ALL Non-HTTPS sites insecure in July 2018 with the release of Chrome 68.
altdns - Subdomain Recon Tool With Permutation Generation altdns – Subdomain Recon Tool With Permutation Generation
Altdns is a subdomain recon tool in Python that allows for the discovery of subdomains that conform to patterns. The tool takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
0-Day Flash Vulnerability Exploited In The Wild 0-Day Flash Vulnerability Exploited In The Wild
So another 0-Day Flash Vulnerability is being exploited in the Wild, a previously unknown flaw which has been labelled CVE-2018-4878 and it affects 28.0.0.137 and earlier versions
dorkbot - Command-Line Tool For Google Dorking dorkbot – Command-Line Tool For Google Dorking
dorkbot is a modular command-line tool for Google dorking, which is performing vulnerability scans against a set of web pages returned by Google search queries in a given Google Custom Search Engine.
USBPcap - USB Packet Capture For Windows USBPcap – USB Packet Capture For Windows
USBPcap is an open-source USB Packet Capture tool for Windows that can be used together with Wireshark in order to analyse USB traffic without using a Virtual Machine.


One Response to MySQL.com Compromised & Spreading Malware

  1. XiX October 6, 2011 at 8:56 pm #

    source compromise maybe?