
Root access to MySQL.com sold for $3k - now serving malware - michiel3
http://krebsonsecurity.com/2011/09/mysql-com-sold-for-3k-serves-malware/
======
pilsetnieks
From the article: "The ultimate irony of this attack is that the owner of
mysql.com is Oracle Corp., which also owns Java, a software suite that I have
often advised readers to avoid due to its numerous security and update
problems."

Seriously, I'm not a fan of Java, but still, a software suite?

Anyway, it's quite hard taking that article seriously after that.

~~~
pnathan
Java has security problems? That is surprising to me.

I have always considered it a relatively secure platform... am I so wrong?

~~~
gojomo
Did you update all your Java installations – client and server – to at least
Java 6 update 26 in June 2011?

There were a dozen "unauthorized Operating System takeover including arbitrary
code execution" bugs fixed at that time, some exploitable via untrusted
applets, others via tricking server installs to submit certain data to
standard APIs:

[http://www.oracle.com/technetwork/topics/security/javacpujun...](http://www.oracle.com/technetwork/topics/security/javacpujune2011verbose-313350.html)

~~~
ldite
I've had the Java plugin disabled in firefox for a long time now. On the very
rare occasions I need it, you can re-enable it without restarting the browser
(unlike extensions.)

------
ahi
It seems like they could have done a lot more damage than just serving browser
malware. How many mysql installs could they have rooted?

~~~
jimrandomh
I think the point was that most of the visitors to mysql.com are developers
and system administrators, and compromises to their machines can probably be
leveraged into compromises of other sites. I doubt we've heard the last of
this.

~~~
lallysingh
The problem is, how do you both

(1) Avoid obvious detection in the compromised software?

(2) Put in something that you can actually use for exploits? You have access
to many hosts, but how many different configurations are there?

The only thing I can think of is have profiles for several popular packages
(e.g. wordpress), and package-specific behavior for them.

------
numlocked
The Armorize screencast embedded in the article is really wonderful. It's
concise, full of information, and clear enough to duplicate the steps on your
own. A nice 5-minute detective story.

------
0x12
This whole mysql saga was an excellent reminder to turn Java off again. I'd
enabled it a few weeks ago for a site that I simply had to use and then
promptly forgot to disable it afterwards.

~~~
greenyoda
If you use Firefox, the NoScript add-on has the option to block Java applets
from any sites that you haven't specifically marked as being trusted. It can
also block unwanted JavaScript, Flash, Silverlight and other plugins.
(<http://noscript.net>)

------
ashmud
Without actually registering on the site to verify, it looks like that's the
Exploit.IN forum.

------
jpdoctor
I've never seen a $$ number associated with these things, but really? Only
$3K?

Apparently, I would have overbid if I were in the market for such things.

~~~
mattdeboard
Well, it may be that the frightening reality is such that supply is so
abundant that a single site with 12m dailies doesn't demand the prices one
might expect.

edit: 12m monthlies, sorry.

~~~
0x12
Mysql.com has nowhere near 12m daily uniques.

~~~
mattdeboard
Right you are, thanks.

------
fragsworth
Why is it that Flash is so exploitable? The web is rampant with Flash exploits
and Adobe seems to do nothing about it.

~~~
skeletonjelly
Because plugins run under their own process. Not subject to the sandboxing
you'd find in Chrome/Safari for instance. Plugins are given pretty high trust.

~~~
ams6110
I always browse with all plugins and java disabled. If a site uses Flash, I
typically will just move on unless it's something absolutely essential to what
I'm doing. Surprising how many sites that use Flash don't have any usable
fallback for clients that don't support it or have it disabled.

I don't think I've come across a Java applet in the last 5 years. I see NO
need to allow Java in the browser unless it's for a trusted, internal-use
application.

~~~
skeletonjelly
Good move. I suppose the most vulnerable are those driving desks being forced
to use IE7, Standard Operating Environment that runs these plugins or some
internal business application requires them.

------
mkopinsky
I went to mysql.com this morning and Symantec popped up with a "malware
detected" message. Do we know which browsers are vulnerable, and how to tell
whether I'm infected?

~~~
alex_c
This link lists the AV packages that can currently detect the installed
malware:

[https://www.virustotal.com/file-
scan/report.html?id=d761babc...](https://www.virustotal.com/file-
scan/report.html?id=d761babcb55d21b467dd698169c921995bf58eac5e9912596693fee52c8690a1-1317072568)

~~~
michiel3
Well, currently the malware itself is not detected. OK, some anti-virus
solutions detect the piece of malware as suspicious or as a packed executable
(which is suspicious of course). But those detections are just based on the
inner working of the executable or how it behaves. It's not being detected by
anti-virus definitions, that will be a matter of time before anti-virus
providers will add definitions for this piece of malware.

------
oblu
<http://exploit.in/forum/>

------
naughtysriram
Great..! Now nobody will visit MySQL page and the downloads number will do
down significantly. Yet another way to kill a community product!!

~~~
viraptor
In reality - how many people actually downloaded it from the website, rather
than running "{yum/apt-get} install mysql-server"? The documentation is a
different issue - probably much more popular than downloads themselves.

