Allow me to point out a little bit of irony in this headline... a website for one of the more popular open-source database alternatives gets completely compromised using blind SQL Injection. Ouch.
Someone going by the moniker "Jack Haxor" posted this to the Full Disclosure mailing list just a little while ago... giving a nice explanation of what's happened and more importantly where the vulnerable target page is (customers/view/index.html) so others can go and play for themselves.
The hacker claiming responsibility, calling himself 'TinK0de' keeps a pretty good blog of his activities (here) - and you can read about his exploits (pun intended).
MySQL has (as of this writing) not issued a statement yet... which probably means they're scrambling to close up and clean up the mess... whatever that mess may be.
Did the attacker get into anything more than just the databases behind the website? Maybe we'll know, maybe we won't - but this is at very least very unsettling for the open-source database organization.
Hopefully they have clean, check-summed backups, right?
Oh, and if you're interested in seeing the handywork that resulted from this compromise... check out this pastebin.com link... I swear I had nothing to do with that rabbit/hat graphic.
Some take-aways from this one...
- Never re-use passwords across too many websites of different security levels
- Use complex pass-phrases as much as possible so they're harder to crack
- Back up, then check-sum your backups and keep them off offline in case you need a restore point
- Hiding the SQL error from an attacker will still get you compromised (blind SQL injection)
- Check your code... attackers don't sleep, and won't spare you just because you're an open-source, charitable project
- It can happen to anyone, anywhere at any time
Update: A Twitter colleague just pasted me this link to another pastebin. Ouch again. It appears as though this is from an intrusion into Sun.com itself?
Let's put a few puzzle pieces together here... MySQL is owned by Oracle. Sun is owned by Oracle too.
Maybe they're hosted on a common database platform... oh that would surely spell trouble, wouldn't it?