A server at the Massachusetts Institute of Technology (MIT) was being used to serve up attacks in a coordinated drive-by download campaign, according to research done by anti-virus firm Bitdefender.
According to a post on their Malware City blog, a server named CSH-2.MIT.EDU is hosting a script that scans the web for vulnerable websites, specifically those running an out-of-date version of PHPMyAdmin. Builds 2.5.6 to 2.8.2 of the popular mySQL admin tool are at risk.
As discovered by researcher Doina Cosovan, once the server finds a hole, it attempts to inject a malicious SQL query into the database, infecting it with a folder titled “muieblackcat” and then possibly overloading the server entirely.
In an interview with IDG, BitDefender spokeswoman Loredana Botezatu said the campaign began in June and has already hit 100,000 websites since yet doesn’t appear to be attacking sites any longer.
Calls to MIT for comment were not immediately returned on Thursday.
Security service zScaler found that some pages under MIT’s domain were compromised in January after they were found to be redirecting visitors to bogus websites.
Since educational sites (.edu) are commonly viewed as trustworthy, it’s much more likely for their traffic, including that from hijacked servers, to surpass filters and get pinged as legitimate.