A security firm revealed today that mysql.com, the central repository for widely-used Web database software, was hacked and booby-trapped to serve visitors with malicious software. The disclosure caught my eye because just a few days ago I saw evidence that administrative access to mysql.com was being sold in the hacker underground for just $3,000.

Web security firm Armorize stated in its blog that mysql.com was poisoned with a script that invisibly redirects visitors to a Web site that uses the BlackHole exploit pack , an automated exploit toolkit that probes visiting browsers for a variety of known security holes.

“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” say the researchers. “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”

Late last week, I was lurking on a fairly exclusive Russian hacker forum and stumbled upon a member selling root access to mysql.com. As part of his pitch, which was published on the criminal forum Sept. 21, the seller called attention to the site’s daily and monthly stats, and posted screen shots of a root login prompt in a bid to prove his wares.

The seller, ominously using the nickname “sourcec0de,” points out that mysql.com is a prime piece of real estate for anyone looking to plant an exploit kit: It boasts nearly 12 million visitors per month — almost 400,000 per day — and is ranked the 649th most-visited site by Alexa (Alexa currently rates it at 637 ).

He offered to sell remote access to the first person who paid him at least USD $3,000, via the site’s escrow service, which guarantees that both parties are satisfied with the transaction before releasing the funds.

The ultimate irony of this attack is that the owner of mysql.com is Oracle Corp., which also owns Java, a software suite that I have often advised readers to avoid due to its numerous security and update problems. As I’ve noted in several blog posts, Java exploits are the single most effective attacks used by exploit kits like BlackHole: Currently, four out of nine of the exploits built into BlackHole attack Java vulnerabilities.

Of course, the apparent criminal sale of mysql.com and the subsequent compromise of the site could be just a coincidence. Armorize’s Wayne Huang said the infection was cleaned up not long after the company published its blog post. Huang said it’s not clear how long mysql.com had been compromised, but that it appears the malicious scripts were injected into the site sometime within the last seven hours. If that’s accurate, that was enough time for approximately 120,000 Internet users to browse the site and expose their systems to the exploit kit.

“From our experience, the infection rate is usually pretty high for these drive-by download infections,” Huang said.

Armorize has published a YouTube video (below) that shows what happened when an unpatched browser visited mysql.com during the time it was infected with the drive-by exploit.

Mysql.com has been hacked and is currently serving malware, Armorize warns.

The company has detected the compromise through its website malware monitoring platform HackAlert, and has analyzed how the compromise of the site's visitors unfolds.

The mysql.com website is injected with a script that generates an iFrame that redirects the visitors to http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php, where the BlackHole exploit pack is hosted.

"It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge," say the researchers. "The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection."

What type of malware is served is still unknown, but the worrying thing is that currently only 9 percent of the AV solutions used by VirusTotal block it.

It is, of course, impossible to say who the attackers are. The domain reached through the iFrame is registered to one Christopher J Klein from Miami and is located in Berlin, Germany. The domain serving the exploit and the malware is located in Stockholm, Sweden.

The administrators of the mysql.com domain are being contacted, but the site is still up and compromised, say the researchers.

According to Sucuri Security researchers, the site has been compromised via JavaScript malware that "infects a web site through a compromised desktop (with virus), where it steals any stored password from the FTP client and uses that to attack the site."

Trend Micro researchers add that they have recently discovered a denizen of a Russian underground forum selling root access to some of the cluster servers of mysql.com and its subdomains, asking at least $3,000 for each access, and that they have notified mysql.com administrators of their discovery a week ago.