Analysis: How MySQL.com and Sun.com got hacked

Hackers broke into the MySQL.com and Sun.com websites using, of all things, a SQL injection technique

There are lots of red faces at Oracle this morning, as two of its sites, MySQL.com and Sun.com, were pwned over the weekend by veteran Romanian extremely-dark-gray-hat hacker TinKode and sidekick Ne0h. The sites were the victims of an as-yet-unidentified "blind" SQL injection technique -- the exact type of attack you'd think the devs and admins at MySQL would know how to protect against. Apparently, you'd be wrong.

Here's how it happened: Early on Sunday morning, Jackh4xor sent a message to the Full Disclosure mailing list explaining that MySQL.com was "vulnerable to blind SQL injection vulnerability." The message lists the target site as the MySQL.com customer view page. There's an impressive roster of databases, tables, and fields swiped from the MySQL.com site, as well as a short collection of usernames and passwords, both in their encrypted and unencrypted forms.

Shortly after, a lengthy listing claiming to come from TinKode and Ne0h at Slacker.Ro in Romania appeared on Pastebin. TinKode (or more accurately, someone using the handle TinKode) has been, uh, credited with cracking into a U.S. Army site, Eset, NASA, the U.K. Ministry of Defense, Reuters, and others. TinKode also calls Jackh4x0r "our friend," and he claims that he and Ne0h found the offending vulnerability in January.

TinKode's listing includes several key usernames, such as "sys" and "sysadm," alongside their cracked passwords -- most likely extracted from the encrypted passwords using rainbow tables. The password for sys is "phorum5"; for sysadm, it's "qa." Apparently some of the site admins couldn't be bothered with complex passwords.

The MySQL.com site includes several WordPress blogs (WordPress runs on MySQL), and TinKode and Ne0h were kind enough to tell the world the IDs and passwords that go along with many of them. The former MySQL director of project management (who hasn't updated his blog since June 2009) had a username of "admin" and a password of "6661." The former VP of community relations (who's not blogged since January 2010) also ran with a username of "admin," accompanied by a password of "grankulla." I guess the higher-ups had trouble with complex passwords, as well.

Worth noting: MySQL.com wasn't hacked with purloined or guessed passwords. TinKode and Ne0h broke in with a blind SQL injection, targeting the interface, not the database. TinKode also claims to have pwned MySQL.fr, MySQL.it, jp.MySQL.com, and MySQL.de.

TinKode's description of the Sun.com crack seems anticlimactic, with a list of pillaged tables and fields, along with a handful of email addresses, but no passwords. It isn't clear if they didn't find passwords, if they just neglected to pass them on, or if they're holding onto them for further nefarious ends. It also isn't clear if Sun.com fell to the same injection technique used on MySQL.com.

Quis custodiet ipsos custodes? These days, it's hard to tell.

This article, "Analysis: How MySQL.com and Sun.com got hacked," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies