确实是一件很尴尬的事情。MySql.com被黑了(现在已经被修复了),然后转而成了入侵信任它的用户的流氓软件的服务平台。犯罪分子通过注入一段脚本,将访问者重定向到一个使用了BlackHole(黑洞)攻击包的网站,利用该网站刺探访问者所使用的浏览器平台并进行一轮相应的入侵,从而得逞。才几天前,计算机安全博客人Brian Krebs 曾看到对MySql.com的根访问权在网上以3000美元出售。
Armorize (阿码科技)是第一个详细描述整个入侵过程的——而且描述得相当的详细,包括代码示例等等。大体上是,一段脚本将访问者重定向到一个使用了BlackHole攻击包的网站。
“(该BlackHole攻击包)刺探到访问者的浏览器平台(浏览器,以及浏览器插件如Adobe Flash,Adobe PDF等,以及Java ...);在刺探成功之后,在不被访问者知晓的状态下,在访问者机器上永久安装上一个流氓软件,”Armorize 解释道,“访问者无需点击任何东西或确认什么;只要用一个被入侵的浏览器平台访问mysql.com,就会导致受感染。”
这一流氓软件才只被为数不多(4/44)的安全软件包探测了出来。而具体该流氓软件在做什么,仍然是个迷——至少我目前还不知道,没人提及它做了什么。
十分有趣。几天前,Krebz 注意到,在一个排外的俄罗斯黑客论坛上,一个名叫‘sourcecode’的人提供了MySQL.com的root访问权(如附图)。作为一个每月有1200万用户访问的网站,攻击MySQL.com是十分有利可图的。被黑版本的MySQL.com持续了七个小时,意味着有12000 用户暴露在了BlackHole 攻击包之下。
“本次攻击最终的讽刺是,MySql.com的拥有者是Oracle。该公司同样拥有的Java,是一个我时常建议读者尽量避开的软件套件。该套件有着诸多安全和更新问题,”Krebz 解释道,“正如我在几个博客文章中解释的,Java攻击是唯一的最能为入侵工具包如BlackHole有效利用的攻击;当前,BlackHole 九个入侵方式中,有四个是针对Java漏洞的。”
不过,我需要用Java来玩Minecraft。因此我才在这里苦口婆心。
如果你对信任MySql.com的用户被重定向到其被攻陷的站点的整个过程充满好奇,Armorize 给出了一个视频(视频代码:<iframe src="[url=view-source:http://www.youtube.com/embed/J7prODlHniU?rel=0]http://www.youtube.com/embed/J7prODlHniU?rel=0[/url]" allowfullscreen="" frameborder="0" height="315" width="560"></iframe>),显示都发生了什么。
mysql.com root访问权被出售
转载请注明:Linux人社区英文资讯翻译 编译
英文原文:
MySQL.com Hacked to Serve Malware posted by Thom Holwerda on Mon 26th Sep 2011 22:25 UTC, submitted by HAL2001
Well, this is embarrassing. MySQL.com has been hacked (fixed by now), and was turned into a platform serving malware to unsuspecting visitors. The criminals did this by injecting a script which redirected visitors to a website which uses the BlackHole exploit pack, which probes the browser used and serves up an appropriate exploit. Computer security blogger Brian Krebs saw root access to MySQL.com being offered for $3000 only a few days ago.Armorize was the first to detail how the exploit works - and in quite some detail, too, including code samples and such. Basically, a script redirects the visitor to a website which hosts a BlackHole exploit pack. "[The BlackHole exploit pack] exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge," Armorize explains, "The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection."
This piece of malware is only detected by a small number of security software packages (4 our of 44). What, exactly, the malware does is a mystery - and by that I mean a mystery to me, since nobody seems to mention what it does.
Interestingly enough, a few days ago, Krebz noted that on an exclusive Russsian hacker forum, someone by the nickname of 'sourcecode' offered root access to MySQL.com, which is a very lucrative site to attack due to its 12 million visitors per month. The hacked version of MySQL.com was up for seven hours, meaning 12000 visitors were exposed to the BlackHole exploit pack.
"The ultimate irony of this attack is that the owner of mysql.com is Oracle Corp., which also owns Java, a software suite that I have often advised readers to avoid due to its numerous security and update problems," Krebz notes, "As I've noted in several blog posts, Java exploits are the single most effective attacks used by exploit kits like BlackHole; currently, four out of nine of the exploits built into BlackHole attack Java vulnerabilities."
Well, I need Java for Minecraft. So there.
In case you're curious to see what happened when an unsuspecting user browsed to the compromised site, Armorize has posted a video showing what happened.
安装的那个流氓软件应该是针对windows平台的吧?