The Latest in IT Security

MySQL.com hacked, serves malware

27
Sep
2011

Update: mysql.com appears to be clean now (they replaced the script that contained the malicious code).

Popular website mysql.com has been hacked and is serving malware.

Here is the sequence of events viewed from Fiddler (highlighted are the malicious parts):

The hacker(s) modified a legitimate javascript and injected some malicious code into it.

Even though the name of its javascript sounds suspicious (s_code_remote.js), it belongs to the SiteCatalyst plugin from Omniture:

View of the legit javascript plugin

Here is the compromised version:

The script calls:

falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=489613682&ur=1&HTTP_REFERER=http://mysql.com/

(Note the use of the referrer).

falosfax.in is a server whose IP address (212.95.63.201) is located in Germany.

Final delivery is the BlackHole exploit kit itself from: truruhfhqnviaosdpruejeslsuy.cx.cc/main.php

Please use extreme caution and stay clear off mysql.com while they fix the issue.

Jerome Segura

Leave a reply


Categories

THURSDAY, SEPTEMBER 19, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks