Tuesday, 27. September 2011
Mysql.com Hacked
How Does The Injection Works


Step 1: http://www.mysql.com

Causes the visiting browser to load the following:


Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011 ( Don't Visit Now )

This is the injection point. you can find the entire content of the .js file here.


The Infection Section
http://4.bp.blogspot.com/-WSOXkhEDLQU/ToCO-q6jLkI/AAAAAAAACfU/abyQ5I7fqus/s1600/mysql%2Bhacked%2Bserving%2Bmalware%2B2.png



Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/

Shows out a 302 redirect to Step 4.

Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

Source
http://blog.armorize.com/2011/09/mysqlcom-hacked-infecting-visitors-with.html

Permalink