You’ve got a MySQL database. That brings plenty of administrative challenges, including watching out for configuration problems, vulnerabilities, exploits and patches.
You decide that phpMyAdmin, a MySQL administration toolkit, would be useful. That brings plenty of challenges, watching out for configuration problems, vulnerabilities, exploits and patches.
To run phpMyAdmin, you need a web server. That brings plenty of challenges, watching out for configuration problems, vulnerabilities, exploits and patches.
And to use phpMyAdmin, you need a web browser. (I shan’t say it a fourth time.)
Phew! There’s a lot to watch out for when you run a LAMP stack. All that administrative burden in order to ease your MySQL administrative burden in order to keep on top of your database security headaches.
(Reminds me of the old dictionary joke, recursion [mass noun]: see recursion.)
You’d definitely want to familiarise yourself with the official repositories for the various parts of your system. You’d be wise to download only from trusted sources – in the case of phpMyAdmin, the well-known and widely-used SourceForge content delivery network.
Sadly, just being careful isn’t always enough. Both phpMyAdmin and SourceForge have published security alerts confirming that the official phpMyAdmin 126.96.36.199 distribution was Trojanised some time last weekend.
The silver lining is that only the Korean mirror cdnetworks-kr-1 had the malicious version:
One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.
Trojanising a database administration tool this way is a huge win for a hacker. If the doctored version gets installed, you end up inside the network by invitation, via the official administration console, and typically with more power than the genuine administrators. (They don’t know about the extra features you’ve added in your version, after all.)
The fact that only one mirror was infected reduced the overall impact, with just 400 users downloading the dodgy version.
But 400 potentially-pwned networks of possibly-juicy databases is a much more worrying proposition than 400 PCs infected with zombie malware.
If you’re a phpMyAdmin user, it’s well worth checking your install for the rogue file server_sync.php. (There shouldn’t be a file of that name, though there is an official server_synchronize.php component in 188.8.131.52.)
Also, re-download the distribution file and verify that your copy of js/cross_framing_protection.js is correct.
And if, like SourceForge, you operate or use a distribution network with multiple, redundant web servers, remember that increasing availability can make it much harder to maintain integrity.
The more copies of your sacred data that lie around, the more likely that one of those copies will be lost, or stolen, or modified.
3 comments on “SourceForge serves up malware-infected phpMyAdmin toolkit”
Typo: "If you're a pgpMyAdmin user,…"
In the forth paragraph from the bottom, 'pgpMyAdmin' should be 'phpMyAdmin'.
Funny, I always think of phpMyAdmin as actually *being* a back door so it's ironic to think of it having one as well, albeit briefly.