SourceForge serves up malware-infected phpMyAdmin toolkit

Filed Under: Featured, Malware, Vulnerability

You've got a MySQL database. That brings plenty of administrative challenges, including watching out for configuration problems, vulnerabilities, exploits and patches.

You decide that phpMyAdmin, a MySQL administration toolkit, would be useful. That brings plenty of challenges, watching out for configuration problems, vulnerabilities, exploits and patches.

To run phpMyAdmin, you need a web server. That brings plenty of challenges, watching out for configuration problems, vulnerabilities, exploits and patches.

And to use phpMyAdmin, you need a web browser. (I shan't say it a fourth time.)

Phew! There's a lot to watch out for when you run a LAMP stack. All that administrative burden in order to ease your MySQL administrative burden in order to keep on top of your database security headaches.

(Reminds me of the old dictionary joke, recursion [mass noun]: see recursion.)

You'd definitely want to familiarise yourself with the official repositories for the various parts of your system. You'd be wise to download only from trusted sources - in the case of phpMyAdmin, the well-known and widely-used SourceForge content delivery network.

Sadly, just being careful isn't always enough. Both phpMyAdmin and SourceForge have published security alerts confirming that the official phpMyAdmin 3.5.2.2 distribution was Trojanised some time last weekend.

The silver lining is that only the Korean mirror cdnetworks-kr-1 had the malicious version:

One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.

Trojanising a database administration tool this way is a huge win for a hacker. If the doctored version gets installed, you end up inside the network by invitation, via the official administration console, and typically with more power than the genuine administrators. (They don't know about the extra features you've added in your version, after all.)

The fact that only one mirror was infected reduced the overall impact, with just 400 users downloading the dodgy version.

But 400 potentially-pwned networks of possibly-juicy databases is a much more worrying proposition than 400 PCs infected with zombie malware.

If you're a phpMyAdmin user, it's well worth checking your install for the rogue file server_sync.php. (There shouldn't be a file of that name, though there is an official server_synchronize.php component in 3.5.2.2.)

Also, re-download the distribution file and verify that your copy of js/cross_framing_protection.js is correct.

And if, like SourceForge, you operate or use a distribution network with multiple, redundant web servers, remember that increasing availability can make it much harder to maintain integrity.

The more copies of your sacred data that lie around, the more likely that one of those copies will be lost, or stolen, or modified.


-

, , , , ,

You might like

3 Responses to SourceForge serves up malware-infected phpMyAdmin toolkit

  1. Black A.M · 567 days ago

    Typo: "If you're a pgpMyAdmin user,..."

  2. Sundar · 567 days ago

    In the forth paragraph from the bottom, 'pgpMyAdmin' should be 'phpMyAdmin'.

  3. markstockley · 567 days ago

    Funny, I always think of phpMyAdmin as actually *being* a back door so it's ironic to think of it having one as well, albeit briefly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog