mysql.com is hacked and is currently serving malware to visitors , says the report by armorize .The company have detected the malware using their malware monitoring platform called HackAlert . The mysql.com website is injected with a script that generates an iFrame that redirects the visitors to http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php , where the BlackHole exploit pack is hosted.
How Does The Injection Works
Step 1: http://www.mysql.com
Causes the visiting browser to load the following:
Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011 ( Don't Visit Now )
This is the injection point. you can find the entire content of the .js file here.
The Infection Section '
Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/
Shows out a 302 redirect to Step 4.
Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php
This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.
Sucuri Security researchers have also confirmed this and according to them " the site has been compromised via JavaScript malware that "infects a web site through a compromised desktop (with virus), where it steals any stored password from the FTP client and uses that to attack the site."
[Source]
No comments:
Post a Comment