Article (http://news.cnet.com/8301-1009_3-10236793-83.html?tag=nl.e703)

I like to know who put the secured databases on a public web server!!

I also like to know what these systems were running.

This was an SQL injection attack, so the vulnerability was most likely in the web application (or arguably in the DB or scripting language, for making this vulnerability possible in the first case, but that's a slightly weak excuse).

It doesn't say if the DB was on the same computer, and indeed it doesn't have to be, for this kind of attack. (The amount of data stored in a web-facing DB might have been high - but then again, it might not. The web application might well legitimately need access to the data in question.)

3rd paragraph:

"The attackers accessed a public Web site and then bypassed additional secured databases stored on the same server."

That wording seem to me to say they are on the same server.

http://toolbar.netcraft.com/site_report?url=http://www.berkeley.edu

Running Solaris there?

3rd paragraph:

"The attackers accessed a public Web site and then bypassed additional secured databases stored on the same server."

That wording seem to me to say they are on the same server.

Nah, it could mean "the same server as the database they first got access to [through the web interface]" as well. The entire article is very light on concrete details.

Oh, and just to be picky ... if they bypassed the secure databases, wouldn't that be a good thing? ;)

Nah, it could mean "the same server as the database they first got access to [through the web interface]" as well. The entire article is very light on concrete details.

Oh, and just to be picky ... if they bypassed the secure databases, wouldn't that be a good thing? ;)

I agree the writing is very light on details. I bet it will be some disgruntled student or ex-staff member.

http://toolbar.netcraft.com/site_report?url=http://www.berkeley.edu

Running Solaris there?

Well that makes sense, so that leads to probably an Oracle hack.

Hope the guys from berkeley's CS school didn't have anything to do with setting this up :)