PHPMyAdmin Vulnerabilities (HOT)

A

Alwaysonline

Verified User
Joined
Mar 24, 2005
Messages
15
Location
Annapolis MD
Hi All,

Just want to give a heads up to everyone. Over the past 6 hours or so we have seen some script kitty activity that has gotten through phpmyadmin on a few of our servers. The versions of phpmyadmin were not the latest, but not that old either. After getting in, there seems to be your standard ssh brute force attacks that run outgoing scans afterwards.

We are still diagnosing the issue but I thought I would throw this out to all to give a heads up. Only our DA Servers with PHPMyAdmin have been affected so far.
 
I haven't seen anything our end, nor have phpmyadmin released any security bulletins.

Perhaps there's some hardening required on your end? SSH can be a little b#*@! at times ;)
 
Not an SSH issue.

A ssh scanner / brute force attack kitty called dd_ssh was uploaded through phpmyadmin (via http)

So far only older phpmyadmin installs were affected versions prior to phpmyadmin 3. We cleaned up the affected installs updated phpmyadmin to the lastest versions, the attacks continue to happen as I have seen the same handfull of IP Addresses with the same http calls to phpmyadmin.

I will let you know if I see any other version affected, so it looks like for now its just a patch and access control issue. I think I am going to lock down phpmyadmin access now and remove the global http alias /phpmyadmin
 
We weren't effected as we don't use the default install directory in /var/www/html/ - so, in the end, it was a good decision on our part, even though upgrading takes a bit longer........
 
markeu said:
instead of bothering with it i just ordered new servers and moved my backups there

my ex servers were 3 years old and never updated (dont fix if it aint broken) - so just ordered new ones - it's a lot faster and cheapper then fixing it
Click to expand...

Wow. You would rather spend a few hours ordering new servers and moving data that to simply delete setup.php within phpmyadmin. Deleting setup.php takes less than 1 second. Amazing.
 
floyd said:
Wow. You would rather spend a few hours ordering new servers and moving data that to simply delete setup.php within phpmyadmin. Deleting setup.php takes less than 1 second. Amazing.
Click to expand...

my servers were infected - so i would need to bother fixing it :D

your idea is prevention
 
That means you really do not understand what happened.

Somebody used a phpmyadmin vulnerability and was able to upload and execute a file that performs ssh scans. This was done as the user apache so no real harm was done. Stop the scan, delete the file that was uploaded, and delete the setup.php. That is all. I had to do this myself. Its not a big deal.
 
markeu said:
my servers were infected - so i would need to bother fixing it :D
your idea is prevention
Click to expand...
I guess you only have a handful of clients, some have over 500 so imagine the downtime if your theory was to be used by many....... Lots of unhappy customers...... Every server isn't the same, so the backup/restore routine isn't flawless - and, touch wood, I've yet to use the restore options..

FWIW, 5 years is the longest I've had a server.......
 
i have my own websites on my servers

the servers were old - dual core, for the same money now i am getting hexa core - so it made sense to change the servers for new ones and i did it without even checking what was wrong

moving from one server to another for me was easy - just changed name servers & imported domains to new ones
 
That is fine if you just want new servers. That's a great upgrade.

This thread is about the phpmyadmin vulnerability and the solution is to delete setup.php, not buy new servers. Buying new servers is certainly not faster.
 
You must log in or register to reply here.
Back
Top