MySQL.com, the official website of Oracle's open source database project, was left pushing malware on to its visitors last night following an attack by persons unknown.
The infection, first spotted by security service Armorize, attempted to infect visitors with a Trojan via the 'BlackHole' exploit pack, a powerful tool which scans visiting browsers for known vulnerabilities before exploiting them to plant its payload.
"It exploits the visitor's browsing platform, and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge," the company wrote (opens in new tab) in its analysis of the infection. "The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection."
Former Washington Post staffer turned security writer Brian Krebs believes that the attack comes from someone other than the discoverer of the security flaw used to inject the malicious content. "The disclosure caught my eye because just a few days ago I saw evidence that administrative access to MySQL.com was being sold in the hacker underground for just $3,000," he claims in a blog post (opens in new tab).
"Late last week, I was lurking on a fairly exclusive Russian hacker forum and stumbled upon a member selling root access to mysql.com," Krebs claims. "As part of his pitch, which was published on the criminal forum Sept. 21, the seller called attention to the site’s daily and monthly stats, and posted screen shots of a root login prompt in a bid to prove his wares."
Those claims are backed up by research carried out by security firm Trend Micro (opens in new tab), which claims it too had witnessed the offer to sell full access to the MySQL.com site for $3,000. Tellingly, it claims to have alerted the website's maintainers about the post a week ago, only to receive no response.
The cracker thought to be responsible for selling access to MySQL.com, known only by the handle 'sourcec0de,' is believed to have previously sold login details for stolen PayPal accounts on the same site.
The offending malware has since been booted from MySQL.com, after an infectious period stretching up to around seven hours, during which time the site is thought to have received between 100,000 and 150,000 visitors. The attack is not thought to have introduced any backdoors into the project's source code.