According to security firms, visiting the home page of the website has been initiating a Java exploit that downloads and executes malicious code on visiting Windows computers.
The code then redirected visitors through a third-party domain.
“This domain hosts the BlackHole exploit pack. It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” say researchers at security firm Armorize.
“The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”
With the company clocking up as many as 12 million visitors a month, that leaves a lot of people vulnerable.
MySQL.com’s already fallen victim to a hack once this year, with hackers exploiting an SQL injection vulnerability to expose usernames and poorly chosen passwords.
“Inevitably there will be speculation that a similar vulnerability may have allowed hackers access to the website on this occasion too,” suggests Graham Cluley of Sophos.
“For a website to suffer one hack may be regarded as a misfortune. To suffer twice in less than a year begins to look like carelessness.”
Trend Micro says it may have some light ot shed on how the hackers got access. Recently, says senior threat researcher Maxim Goncharov, the company noticed a member of a Russian underground forum offering root access to some of the cluster servers of mysql.com and its subdomains, at $3,000 a pop.