MySQL website hacked

Yikes. I feel like I’ve taken a severe leaning toward being a security reporter, but I can’t help it. Every day there seems to be yet another big story about how one of the core providers on the internet has been compromised. This week, it’s MySQL.

Considering that MySQL is used to power every second website, from Wikipedia through to Facebook, its pretty important that we know that it is able to keep its own website safe. Not so. Sadly early this week, the MySQL website was hacked and started redirecting users to a webpage serving malware. Currently it is not clear how the site was initially compromised, but once it has been taken over, some javascript was installed onto the site to use an iframe that hooked into a BlackHole server that hunts for software vulnerabilities in client software. While the attack took advantage of out-of-date Adobe Flash and Adobe Acrobat Reader software, its greatest success seemed to be attacking vulnerable Java runtime environment software.

This should come as a massive blow to Oracle, who not only own MySQL but are now also the proud owners of Java through its acquisition of Sun. Ironically, the BlackHole Exploit software used to carry out the attack makes use of a MySQL database itself. To be fair to Oracle, the response was quick and it appears that the malicious javascript code was only on the MySQL site for a number of hours before it was cleaned up. Oracle is still investigating the attack, but is keeping mum about what has actually happened. At this point we still don’t know what the malware actually does, but it seems that very few anti-virus products are picking up on any of the files that have been installed, and the exploit only seems to affect Windows PCs.

The attack on MySQL.com was first announced by Wayne Huang, the founder of Armorize Technologies, a company that specialises in web application security solutions. Huang has published an interesting video showing exactly how the site behaved while it was compromised. The frightening thing about it is that there is absolutely no indication on your system that any malicious activity is taking place. However, with the appropriate monitoring software, Huang is able to show all of the activity happening in the background.

Interestingly, this is the second time this year that the MySQL website has been hacked. Back in March, the site was hacked and after the attack, a list of usernames and passwords for the MySQL systems was posted online in a number of hacker forums. While these lists may have been used in this attack, it would be hard to believe that Oracle had not had all of these accounts updated immediately after the first attack. That said, last week on a Russian underground hacker forum, a hacker working under the alias of ‘sourcec0de’ announced that he had root access to the mysql.com webservers and was willing to sell it for around US$3 000.

Along with published screenshots that certainly appear to show that his claims were genuine, the hacker was at pains to point out that the site gets nearly 12-million visitors per month and around 400 000 per day. It is the perfect target to deliver a malicious payload to hundreds of thousands of users at a time. Whether the offer put out by ‘sourcec0de’ was actually taken up, or whether it was just coincidental timing, it is clear that Oracle does not have full ownership of their webservers.