Mysql.com Hacked, Made To Serve Malware 81
Orome1 writes "Mysql.com was compromised today, redirecting visitors to a page serving malware. Security firm Armorize detected the compromise through its website malware monitoring platform HackAlert, and has analyzed how the compromise of the site's visitors unfolded. The mysql.com website was injected with a script that generates an iFrame redirecting the visitors to a page where the BlackHole exploit pack is hosted."
According to Brian Krebs, the exploit used to compromise the site was being shopped around last week for $3,000.
I, for one, (Score:1)
Blame Oracle.
Re: (Score:1)
Nah, it's just the Russians again. It isn't Anonymous trying to make it a point this time around, unfortunately.
Re: (Score:3)
Re: (Score:3, Insightful)
Re: (Score:1)
Dude, you really have never heard of LBD? (Larry Bagina Database)
Wait, let me get this straight (Score:3, Insightful)
Someone, a week ago, before anything bad actually happened, was openly selling the fact that mysql was cracked, and anyone seeing the ad knew it, but HackAlert is taking credit for "discovering" the cracking after something bad actually happened?
How about if HackAlert, instead of crawling the web looking for whatever pattern of deviation defines its detection of a hack, crawls the blackhat markets for ads for open access to presumed secure sites.
If they aren't doing that already, and crocking their detection speed...
Nobody said MySQL was cracked (Score:4, Informative)
Someone was shopping around the exploit used to hack the company's website - I am sure it had little to do with MySQL software unless it was an injection that got them access to change the site.
Re: (Score:2)
I am sure it had little to do with MySQL software unless it was an injection that got them access to change the site
No, it wasn't anything to do with a SQL injection attack. Levels of Irony that high actually warp space/time and I am sure some scientists would have registered it somewhere and reported it.
Re: (Score:2)
From the bottom link I got that the ad mentioned mysql. Maybe I misread it.
Nope.
The seller, ominously using the nickname “sourcec0de,” points out that mysql.com is a prime piece of real estate for anyone looking to plant an exploit kit: It boasts nearly 12 million visitors per month — almost 400,000 per day — and is ranked the 649th most-visited site by Alexa (Alexa currently rates it at 637).
He offered to sell remote access to the first person who paid him at least USD $3,000, via the site’s escrow service, which guarantees that both parties are satisfied with the transaction before releasing the funds.
He'd opened that site up and was selling the access to it.
My question is, why is mysql.com's traffic that high?
[generic topic] (Score:4, Funny)
little Bobby Tables is disappointed.
No user interaction (Score:3, Interesting)
If the website redirects to an iframe (I thought these got phased out in like HTML4???) and tries to install malware, and there is no user interaction involved... what exactly is the browser doing?
Being really stupid...
http://antivirus.about.com/od/virusdescriptions/p/Blackhole-Exploit-Kit.htm [about.com]
On that note, noscript, greasemonkey w/ script, and any addon that allows the blocking of the iframe tag should keep you safe, but then again how often do you visit mysql.com? :)
Re: (Score:1)
Forgot to mention TOR blocks these kinds of redirects.
Re: (Score:3)
If the website redirects to an iframe (I thought these got phased out in like HTML4???)
You're thinking of framesets. Iframes are used far, far more now in conjunction with AJAXy stuff and embedding third-party crap than they were last decade.
More details on the exploit specifics? (Score:1)
Re: (Score:1)
Seriously though, this looks like the work of someone who found the root login prompt and then proceeded to guess/bute-force the password.
Re: (Score:2)
Already Fixed (Score:3, Informative)
Re: (Score:2)
Yea, as good an idea as it is to send more traffic to a hacked site, I appreciate /. handling. And since it's fixed and after 5 on the east coast that means a lot of dumb users won't deliberately go to a hacked site. That isn't to say the east coast is sub-prime, there's just a higher density.
Re: (Score:1)
just wanted to make a dirty joke about exposing mysql over the intern but it was lost.
Re: (Score:1)
Re: (Score:2)
Watch the video on the page, informative (Score:2)
I watched the video on the page, showing the step-by-step of the exploit working, and the trace of what it did.
Informative and interesting.
Seems if a person did _not_ have java enabled in their browser, then the attack would have failed.
Re:Watch the video on the page, informative (Score:5, Informative)
Re: (Score:2)
A while back, I decided I don't need java, adobe acrobat or flash on my work machines (too much attack surface).
Re: (Score:3)
A while back, I decided I don't need java, adobe acrobat or flash on my work machines (too much attack surface).
My philosophy is that you disable/uninstall everything and the switch it back on when you need it. Sometimes it is a pain, but it is better than browsing the net with a big "kick me" sign on your virtual back.
I found it strange that the Krebs on Security site linked in the summary would state that we should avoid using Java for security reasons, but then assume that we would be able to view an embedded youtube video on his page. Surely anyone interested in security would just link to the youtube page rather
Re: (Score:3)
You don't need java to view the youtube video, it uses javascript.
It actually required Adobe Flash in my browser. All I got was a black square because I locked down my security settings to only allow Flash on whitelisted sites.
I was not suggesting that YouTube uses Java, but that his comment was an indication that we should eliminate use of software with known security problems and that expecting his audience to run plug-ins on his site went against his advice. I should have been more clear about that point.
All he needed to do was include a link to the YouTube page along
Re: (Score:1)
That's odd, I was able to view the video in perfect webm just fine without having anything Adobe installed.
http://www.youtube.com/html5
Also, if you're on MS-Windows and using Oracle Java JRE, you can remove webstart and the netscape/msie plugins after install. To check, visit about:plugins [about] or Plugincheck [mozilla.org] Make sure jnlp files are opened with notepad and jar files with an archiver (or anything except "java.exe -jar"). Any programs written in Java you've installed will still work.
Re: (Score:2)
I'd assume someone as security conscious as you would have already opted in to the html5 trial on youtube.
Actually, I consider HTML5 video to be an immature and untrusted entity. The authors of browser plug-ins could not write secure code, so there is no reason that browser writers should not give us exploitable bugs too. Just because the video is part of the HTML language does not instantly make it safe.
It may prove to be fine eventually, but it is still something that would not instantly trust to every single website I happen to come across. Besides, I prefer my webpages to stay still.
Re:Watch the video on the page, informative (Score:4)
Re: (Score:2)
Obligation (Score:5, Insightful)
The disclosure caught my eye because just a few days ago I saw evidence that administrative access to mysql.com was being sold in the hacker underground for just $3,000.
At what point should Mr. Krebs have felt some sort of obligation to inform the owners of mysql.com that their root login was being actively shopped?
Re: (Score:2)
When mysql.com's admins offer to pay him $3050 so he'd make a profit?
Re:Obligation (Score:4, Interesting)
As someone who's done ... even... gentle research. I hate to say...I resent the implication of your comment.
It's mysql, so they aren't exactly a bunch of clowns... but the moment you tell people--you get suspicion thrown on you. If you tell them anonymously, you get *even more* suspicion thrown on you. For further examples, you need only look at the classic tuttle/centos story... /actually/ report a real issue.
http://www.theregister.co.uk/2006/03/24/tuttle_centos/ . Now imagine what happens if you
As somebody who feels *fortunate* to have not been investigated in the past due to no small measure of proxy use--I have to say...by asking Krebbs to disclose this, you're asking him to accept undue risk. The last time I reported a /large/ issue with a private server, the server I used was scanned within 50 minutes from IP's originating within the FBI. Sorry... fuck you all--there's no free advice given ever again.
Quite frankly, other people's problems aren't our job. They nearly aren't our business either save when they lie and advertise they're safe and there's a client curious, or we're looking to spot something... At which point they can pony up for the advice like every other consumer in the market.
TLDR: There is no obligation. It's at best a generous act of good will that most people really don't deserve anyway.
Re: (Score:1)
No, reporting the issue gets you assumed to be the problem and scanned by the FBI.
Re: (Score:2)
no, it's like a passer-by telling someone leaving their car that the door is unlocked, then getting stabbed by that person.
it's gotta be a car analogy.
also, don't confuse rape with software. it's sorta like Godwinning.
Re: (Score:2)
More like an adult male passerby noticing a young girl playing near a dangerously fast-flowing river, but choosing not to intervene because the risk of being accused of a child molester or attempted abductor is too great (tell her it's dangerous and to move away from the river, and she'd run off screaming to her distant parents that there's a big bad man trying to kidnap her). After that, good luck proving that she *would* have fallen in if he hadn't intervened.
Sadly, this exact scenario happened in the UK
One thing for sure... (Score:2)
inevitable (Score:2)
It was really just a matter of time before Oracle started trying to force MySQL users to move to their expensive proprietary solutions. It just happened a bit....What's that? ........
Oh, NEVERMIND!
Re: (Score:1)
The one where you need to add additional objects to the database just to auto-increment a fucking primary key?
MySQL hack... (Score:3, Funny)
Re: (Score:2)
Nah, that would be more appropriate if (just for example) Hibernates website was exploited via SQL injection.
SQL injection isn't generally regarded as a database flaw.
Re: (Score:2)
Yeah, but you'd think a database company with SQL in its name would be aware of common intrusion attempts using SQL.
Re: (Score:2)
SQL injection isn't generally regarded as a database flaw.
It should be. The design of SQL itself promotes injection attacks. A decently secure database wouldn't support plain-text SQL query strings as an API.
Even a simple S-expression translation of SQL using parentheses instead of quotes would be more secure, because you could verify that the parens balanced before accepting an expression. SQL's syntax is an artifact of the 1970s COBOL-era idea that "if a mathematical expression sort of looks halfway like English, it will be simple to use". In fact, it isn't, and
mysql.net (Score:1)
slashdot frenzy erupts in 3... 2... 1...