Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious PhpMyAdmin Served From SourceForge Mirror

Posted by Unknown on from the tin-foil-hat-activate dept.

An anonymous reader writes with a bit of news about the compromised download of phpMyAdmin discovered on an sf.net mirror yesterday: "A malicious version of the open source Web-based MySQL database administration tool phpMyAdmin has been discovered on one of the official mirror sites of SourceForge, the popular online code repository for free and open source software. The file — phpMyAdmin-3.5.2.2-all-languages.zip — was modified to include a backdoor that allowed attackers to remotely execute PHP code on the server running the malicious version of phpMyAdmin." The Sourceforge weblog has details. Someone compromised a mirror (since removed from rotation of course) around September 22nd. Luckily, only around 400 people grabbed the file before someone caught it.

11 of 86 comments (clear)

  1. "weblog"? by i+kan+reed · · Score: 5, Funny

    Is this 1998? Was the malicious file found on the world wide web?

    1. Re:"weblog"? by Anonymous Coward · · Score: 4, Insightful

      What's wrong with that? It's a vastly better word than blog.

  2. Re:True open sores experience by lindi · · Score: 4, Informative

    How would you know which md5 hash was correct? They are listed in http://www.phpmyadmin.net/home_page/downloads.php which is also hosted by sourceforge.

  3. Sourceforge problems.. by undulato · · Score: 3, Informative

    I think someone's head is in the clouds at the moment what with the recent buyout of sourceforge, slashdot et al. I'm with a big ol' (12 year) open source project on Sourceforge and it's going through the migration procedure currently to the new Sourceforge look and feel - lots of problems, lots of broken stuff, unhappy admins and developers and slow response to tickets.

    There are plenty of alternatives out here now for the open source types to host their code. It might be time to start thinking about exit strategies..

  4. Duh. by Tyler+Eaves · · Score: 4, Insightful

    Anyone who understands how security works would consider phpMyAdmin's very existence on a server to be a security hole.

    Local GUI client + ssh tunnel ftw.

    --
    TODO: Something witty here...
    1. Re:Duh. by xombo · · Score: 4, Informative

      My experience, exactly. I can't tell you how many times I've been asked to look into a problem with a web server only to find that their logs are packed with failed login attempts pointed at /phpmyadmin. It's bad enough that it blindly installs itself as a subdirectory in every Apache vhost you run; but their lack of default password attempt limits and bans (especially given its popularity and the level of access it provides) is downright irresponsible.
      There are literally botnets that do nothing more than cruise around the internet looking for phpmyadmin installations.

    2. Re:Duh. by Zenin · · Score: 5, Funny

      Anyone who understands how security works would consider php's very existence on a server to be a security hole.

      There, I fixed it for you. You're welcome.

      --
      My /. uid is better then your /. uid
  5. Re:True open sores experience by petermgreen · · Score: 4, Informative

    If sourceforge is totally compromised you are right but still the chances of that happening are almost certainly lower than the chances of a random download mirror being compromised, so checking md5s is still a good idea.

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  6. Which is the scary part? by Michalson · · Score: 5, Insightful

    A widely used web package has a backdoor inserted.

    Scary.

    One of the regional mirrors of the largested software respository containing tens of thousands of projects is either hacked or was a plant from the start.

    Scarier.

    The backdoor code looks to be the work of someone who learned PHP on Monday.

    Scariest.

    Honestly, the only way it could have been more obvious is if the file was called backdoor.php. There was no attempt made to disguise the location or what the code was doing which is why it got caught so quickly. A complete amateur got caught with control over a chunk of Sourceforge downloads. In computer security when you find a breach you don't just close the obvious point of entry, you have to take a big step back and seriously ask 'what else was compromised'. In this case the big question is who else.

    If this clown could do it and didn't get caught until an end user saw the stupidly obvious file and its stupidly obvious code (as opposed to a server log or other Sourceforge audit turning it up) what are the competent hackers up to. Real backdoors are blended into the existing code instead of being added as a seperate file. Real backdoors are designed to be hidden from casual inspection instead being completely obvious in their function and 'I don't belong here status'. Really good backdoors are designed to not look like intentionally malicious code even after they are found (ex. the wait4 backdoor attempt in the Linux kernel was pretty good, it got caught because the CVS hack used to insert it in a regional CVS mirror was flawed in several ways that raised alarms).

    So, what kind of security/procedure/audit could have been in place, needs to be in place, so that something like this will raise an alarm even when the hacker isn't the most incompetent backdoor author in history? What kind of audit is needed to be sure it hasn't already happened?

  7. how far? by WGFCrafty · · Score: 3

    I have used phpmyadmin while learning about servers/web hosting (on my only computer to experiment) and while dealing with the Gallery php software on a more recently hosted site (not on my computer), so I have a general idea of what it does and how to use it (as basic as it gets like backing up DBs).

    My question is when the backdoor gives full access to the hacker, what is the extent of compromise? Does it give you all data but you cannot read the passwords ? Do you have the ability to decrypt passwords by gaining root access with this or is the data still protected?

    Forgive my ignorance

  8. Re:True open sores experience by vlm · · Score: 5, Informative

    How would you know which md5 hash was correct?

    We could reinvent the wheel, but (as usual) the Debian wizards figured it all out years ago, in this case, they solved the problem in 2003.

    You make a big list of valid hashes, GPG sign the list with a well known key that is changed every couple years or so (for a good time see Debian package named debian-keyring), and publish it.

    For a good time on a Debian box go to /var/lib/apt/lists and look at a packages file. Assuming you're using wheezy/amd64 the system won't let you install the latest 0ad package (wtf that package is) version 0r11863-2 unless the md5 hash of that package is some big ole number ending in 79eb. Also sha1 and sha256 hashes.

    For a good time see

    http://wiki.debian.org/SecureApt

    I can hand you a questionable looking flash drive with debian packages on it and if the multiple signed hashes match Debian's official gpg signed hash list you can trust my binaries... I can't inject something extra without Fing up at least one of the three hashs.

    Or, just go ahead and reinvent the wheel... thats a Security Best Practices that never leads to problems, rock on with your NIH self man!

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger