28 Sep 2012
A malicious copy of the phpMyAdmin database management tool has been served for days via a Korea-based mirror of the Sourceforge.com repository. The copy on the ‘cdnetworks-kr-1′ mirror in Korea was a modified version of the phpMyAdmin-126.96.36.199-all-languages.zip release that was backdoored by cyber-criminals before uploading.
“This corrupted copy of phpMyAdmin included a backdoor which permitted execution of arbitrary commands by the web server user,” Sourceforge staffers wrote in a blog post. “It is our recommendation that downloaders of this corrupted file (which contains ‘server_sync.php’) assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy.”
The incident may have very serious consequences, as phpMyAdmin is the world’s most popular PHP-based MySQL database management tool that allows a user to create, modify, update and remove databases using a visual interface.
Although Sourceforge said only 400 users downloaded the compromised copy, the impact may be way larger, as these tools are also deployed on shared hosting servers, where a single copy can serve thousands of accounts.
The included backdoor that resides in the ‘server_sync.php’ file lets a regular user pass commands to the web server environment. This means attackers might create a FTP account on the machine, send spam from the affected server or even take complete control over the server.
Users running the phpMyAdmin utility are advised to check its version and build to see if it is vulnerable. Also, creating local backups and scanning them with antivirus software can help identify hidden backdoors or obfuscated exploitation code, which dramatically aids both webmasters and website customers to stay on the safe side.