Malicious PhpMyAdmin Served From SourceForge Mirror

An anonymous reader writes with a bit of news about the compromised download of phpMyAdmin discovered on an sf.net mirror yesterday: "A malicious version of the open source Web-based MySQL database administration tool phpMyAdmin has been discovered on one of the official mirror sites of SourceForge, the popular online code repository for free and open source software. The file — phpMyAdmin-3.5.2.2-all-languages.zip — was modified to include a backdoor that allowed attackers to remotely execute PHP code on the server running the malicious version of phpMyAdmin." The Sourceforge weblog has details. Someone compromised a mirror (since removed from rotation of course) around September 22nd. Luckily, only around 400 people grabbed the file before someone caught it.

Re:True open sores experience

[vlm]

How would you know which md5 hash was correct?

We could reinvent the wheel, but (as usual) the Debian wizards figured it all out years ago, in this case, they solved the problem in 2003.

You make a big list of valid hashes, GPG sign the list with a well known key that is changed every couple years or so (for a good time see Debian package named debian-keyring), and publish it.

For a good time on a Debian box go to /var/lib/apt/lists and look at a packages file. Assuming you're using wheezy/amd64 the system won't let you install the latest 0ad package (wtf that package is) version 0r11863-2 unless the md5 hash of that package is some big ole number ending in 79eb. Also sha1 and sha256 hashes.

For a good time see

http://wiki.debian.org/SecureApt

I can hand you a questionable looking flash drive with debian packages on it and if the multiple signed hashes match Debian's official gpg signed hash list you can trust my binaries... I can't inject something extra without Fing up at least one of the three hashs.

Or, just go ahead and reinvent the wheel... thats a Security Best Practices that never leads to problems, rock on with your NIH self man!