In association with heise online

27 September 2011, 10:41 hacked to serve malware

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

MySQL logo Security firm Armorize reports that Oracle's web site was hacked to serve Windows malware on 26 September. The attackers modified the JavaScript file "common/js/s_code_remote.js" on the server; this file is downloaded with all pages on The modified version created an iFrame which then loaded the "Blackhole exploit pack". The exploit pack in turn uses vulnerabilities in older browsers or unpatched versions of Flash Reader and Java to compromise Windows systems and allow the installation of back-doors, bots and other contaminants.

The problem was noted at 1pm UK time and was cleaned up by 7pm the same day. How long the malware was online is unknown; Oracle is still investigating and is yet to comment on the breach. The MySQL site has around 400,000 visitors every day and so it is likely that several thousand users will now have infected systems.

According to security journalist Brian Krebs and Trend Micro, access credentials for a root account on the MySQL servers appeared to have been offered last week on Russian underground forums for $3,000. The seller, going by the name 'sourcecOde', had posted evidence that he had root access to the servers. Whether this was how the malware poisoners gained access or if there was another route to compromising the servers is currently unknown.

This is the second security incident this year on the MySQL site; in March a hacker was able to access data using an SQL Injection vulnerability.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit