phpMyAdmin corrupted copy on Korean mirror server

By Community Team

On September 25th, SourceForge became aware of a corrupted copy of phpMyAdmin being served from the ‘cdnetworks-kr-1’ mirror in Korea. This mirror was immediately removed from rotation.

The mirror provider has confirmed the attack vector has been identified and is limited to their mirror; with exploit having occurred on or around September 22nd.

Through validation we have confirmed the corrupted file (a modified copy of phpMyAdmin-3.5.2.2-all-languages.zip) was served only via the ‘cdnetworks-kr-1’ mirror.

While we believe that only one file was modified on the ‘cdnetworks-kr-1’ mirror, we are conducting additional validation to confirm and will provide update once this process concludes. The mirror remains out of rotation.

Through logs, we have identified that approximately 400 users downloaded this corrupted file. Notice of this corrupted file has been transmitted through security notice by the phpMyAdmin project and direct email to those users we were able to identify through our logs.

This corrupted copy of phpMyAdmin included a backdoor which permitted execution of arbitrary commands by the web server user. The notice from phpMyAdmin may be seen at:
http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php

It is our recommendation that downloaders of this corrupted file (which contains ‘server_sync.php’) assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy.

Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled. Examination of web logs and other server data should help confirm whether this backdoor was accessed.

SourceForge thanks the phpMyAdmin team and the Tencent security team for escalating this issue.

Thank you,
The SourceForge team

34 Responses

  1. Tonejito says:

    @sourceforge SECURITY ALERT: phpMyAdmin download contained backdoor’ed file. Details at http://t.co/Hp0Lzkhu http://t.co/JwcHlekf

  2. […] хостинга SourceForge.net признали факт компрометации одного из серверов в системе […]

  3. jsalsman says:

    Perhaps automated mirror validation is called for?

    •  @jsalsman Periodic validation of all mirrors is already implemented (even before this event).

      • duhderp says:

         @Jacob Moorman  @jsalsman And so obviously isn’t good enough? Perhaps any time the files on a mirror change they should be verified against a known good working copy?

  4. […] хостинга SourceForge.net признали факт компрометации одного из серверов в системе […]

  5. gslin says:

    @jnlin 噴飯了

  6. […] Laut Sourceforge wurde die betroffene Datei rund 400 Mal heruntergeladen. Nachdem das Problem am 25. September 2012 bekannt wurde, hat Sourceforge den betroffenen Mirror-Server aus seinem Verteilungssystem herausgenommen. Der Betreiber des Mirror-Servers hat laut Sourceforge bereits herausgefunden, wie der Angriff erfolgte. Es sei davon auszugehen, dass nur dieser einzelne Server betroffen ist. […]

  7. […] exploit could not be alive before 22th September 2012) and not on much frequent mirror (based on SourceForge official statement about 400 users have downloaded the file with […]

  8. […] von SourceForge eine manipulierte Version des Datenbankverwaltungstools phpMyAdmin zu verteilten, die eine Backdoor enthält. Die Hintertür befand sich in dem Installationsarchiv […]

  9. […] nota oficial do Sourceforge sobre o assunto segue neste link  phpMyAdmin Back Door | SourceForge Community Blog e a nota oficial do grupo de desenvolvimento do PhpMyAdmin está neste aqui PMASA-2012-5. […]

  10. […] was available for three days from 22 September until its discovery on 25 September, according to a statement by SourceForge, which said the tainted code was only served from its Korean mirror. The motives, […]

  11. dspe says:

    @mojoLyon quelle idee d avoir des phpmyadmins aussi 😀

    • mojoLyon says:

      @dspe Tout a fait 😉 Enfin la c’est via un mirroir en Korée, moins d’impact en Europe mais vaut mieux prevenir que guérir 🙂

  12. […] Easy Windows Checksum  General, Programming  Add comments Sep 262012   After the recent “attack” from a mirror site of Source Forge. I decided I also need to check MD5 check-sums on windows machines. You can read about the “backdoor” that was added into phpMyAdmin here: http://sourceforge.net/blog/phpmyadmin-back-door/ […]

  13. […] SourceForge server in question was cdnetworks-kr-1, a Korean mirror. In a separate post by the SourceForge team, it confirmed that the owner of the mirror identified a breach of its systems “on or around […]

  14. […] attackers have managed to distribute a modified version of the open source phpMyAdmin database management tool that contained a […]

  15. […] from the ‘cdnetworks-kr-1′ mirror in Korea. This mirror was immediately removed from rotation: http://sourceforge.net/blog/phpmyadmin-back-door/ This entry was posted in Uncategorized by Stijn. Bookmark the […]

  16. […] Mais informações no link. […]

  17. […] a corrupted copy of phpMyAdmin being served from the ‘cdnetworks-kr-1′ mirror in Korea,” according to SourceForge. “This mirror was immediately removed from rotation. The mirror provider has confirmed the […]

  18. […] has stopped using one of its mirrors in Korea after the popular open source website was alerted to a corrupted copy of phpMyAdmin being served from that site. The ‘cdnetworks-kr-1′ mirror in Korea was immediately removed […]

  19. […] just being careful isn’t always enough. Both phpMyAdmin and SourceForge have published security alerts confirming that the official phpMyAdmin 3.5.2.2 distribution was […]

  20. […] Update: http://sourceforge.net/blog/phpmyadmin-back-door/ Notice: http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php Affected Versions […]

  21. […] copy of phpMyAdmin being served from the ‘cdnetworks-kr-1′ mirror in Korea,” according to SourceForge. “This mirror was immediately removed from rotation. The mirror provider has confirmed the […]

  22. […] were notified. According to SourceForge, the malicious phpMyAdmin package was downloaded a mere 400 times from the Korean download mirror. Further, the number of live websites using that backdoor-laden […]

  23. […] хостинга SourceForge.net признали факт компрометации одного из серверов в системе […]

  24. […] notizia inizia a circolare il 25 Settembre, quando i responsabili di SourceForge si accorgono che uno dei loro mirror è stato attaccato, ed è diventato vettore per la […]

  25. […] notizia inizia a circolare il 25 Settembre, quando i responsabili di SourceForge si accorgono che uno dei loro mirror è stato attaccato, ed è diventato vettore per la […]

  26. […] immediately removed from rotation,” Rich Bowen, the Community Growth Hacker at SourceForge, confirmedon the site’s […]

  27. […] In a blog post, SourceForge officials said they believe only the affected phpMyAdmin-3.5.2.2-all-languages.zip […]

  28. […] phpMyAdmin Corrupt Mirror – September 2012 – A mirror was compromised and a simple pass through shell like the one shown in the demonstrated was used to infiltrate the server. […]