MySQL.com Compromised & Spreading Malware


The latest story doing the rounds is that MySQL.com got hacked and was serving malware which put it on the Google malware block list.

It appears to be in the clear now though and it’s accessible again via Google. It seems to be a similar case with that of the recent Linux.com and Kernel.org hacks – in which the sites were compromised via developers who had access.

In this case it seems MySQL.com was compromised by malware that spreads itself via FTP from client machines, it then uploads malicious JavaScript to any sites the client machine has access to and propagates malware using those sites.

Hackers recently compromised the website hosting the open-source MySQL database management system and caused it to infect the PCs of visitors who used unpatched browsers and plug-ins, security researchers said.

MySQL.com was infected with mwjs159, website malware that often spreads when compromised machines are used to access restricted FTP clients, a blog post from Sucuri Security reported. The hack caused people visiting the site to be redirected to a site that attempted to install malware on visitors’ computers using code from the Blackhole exploit kit, separate researchers from Armorize said.

“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” Armorize researchers warned. “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”

Officials with the Oracle-owned MySQL didn’t respond to email seeking comment for this post.

I would say MySQL.com is a fairly high traffic site so this attack may have triggered a fair amount of infections – especially if the people visiting were using outdated versions of Windows or old versions of Internet Explorer.

But then again, I’d find that fairly unlikely – people browsing to the site of the #1 Open Source RDBMS would most likely be using Linux, or fully updated Windows systems with Chrome or Firefox.

That’s what I’d like to think anyway…


The reported breach is the latest to affect the distribution system for a widely used piece of open-source software. The kernel.org and Linux.com websites used to develop and distribute the Linux operating system remain inaccessible four weeks after it was infected with malware that gained root access, modified system software, and logged passwords and transactions of the people who used them. Representatives haven’t said when they expect the sites to be operational again.

Besides sullying the reputation of open-source software as more secure alternative to competing applications from Microsoft and other for-profit companies, the compromises have sparked concerns about the purity of the code the sites host. If attackers were able to secretly alter the code with backdoors, they could potentially surveil or gain control over sensitive networks that rely on the applications.

In the MySQL.com hack, the attackers appear to have aimed for the less ambitious goal of infecting the desktop machines of those who visited the site. At time of writing, just five of the top 44 antivirus providers were detecting the threat, according to this analysis from VirusTotal.

Sucuri speculated the site was infected after a MySQL developer was compromised and had his password stolen.

It doesn’t seem to be as serious as the Linux.com/Kernel.org compromises as in this case it’s simply JavaScript uploaded via FTP from a developer account – the actual server hosting MySQL.com wasn’t really hacked and there was no root access gained.

It seems like they have cleared the infection up now, I wonder if they have any stats on how many people were effected by the malware?

Source: The Register

Posted in: Database Hacking, Exploits/Vulnerabilities

, ,


Latest Posts:


GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.


One Response to MySQL.com Compromised & Spreading Malware

  1. XiX October 6, 2011 at 8:56 pm #

    source compromise maybe?