phpMyAdmin corrupted copy on Korean mirror server

On September 25th, SourceForge became aware of a corrupted copy of phpMyAdmin being served from the ‘cdnetworks-kr-1′ mirror in Korea. This mirror was immediately removed from rotation.

The mirror provider has confirmed the attack vector has been identified and is limited to their mirror; with exploit having occurred on or around September 22nd.

Through validation we have confirmed the corrupted file (a modified copy of phpMyAdmin-3.5.2.2-all-languages.zip) was served only via the ‘cdnetworks-kr-1′ mirror.

While we believe that only one file was modified on the ‘cdnetworks-kr-1′ mirror, we are conducting additional validation to confirm and will provide update once this process concludes. The mirror remains out of rotation.

Through logs, we have identified that approximately 400 users downloaded this corrupted file. Notice of this corrupted file has been transmitted through security notice by the phpMyAdmin project and direct email to those users we were able to identify through our logs.

This corrupted copy of phpMyAdmin included a backdoor which permitted execution of arbitrary commands by the web server user. The notice from phpMyAdmin may be seen at:
http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php

It is our recommendation that downloaders of this corrupted file (which contains ‘server_sync.php’) assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy.

Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled. Examination of web logs and other server data should help confirm whether this backdoor was accessed.

SourceForge thanks the phpMyAdmin team and the Tencent security team for escalating this issue.

Thank you,
The SourceForge team

34 Responses to “phpMyAdmin corrupted copy on Korean mirror server”

  1. Tonejito Sep 25, 2012 at 4:10 pm #

    @sourceforge SECURITY ALERT: phpMyAdmin download contained backdoor’ed file. Details at http://t.co/Hp0Lzkhu http://t.co/JwcHlekf

  2. jsalsman Sep 25, 2012 at 7:55 pm #

    Perhaps automated mirror validation is called for?

    • Jacob Moorman Sep 26, 2012 at 6:38 am #

       @jsalsman Periodic validation of all mirrors is already implemented (even before this event).

      • duhderp Sep 26, 2012 at 11:30 am #

         @Jacob Moorman  @jsalsman And so obviously isn’t good enough? Perhaps any time the files on a mirror change they should be verified against a known good working copy?

  3. gslin Sep 26, 2012 at 2:46 am #

    @jnlin 噴飯了

  4. dspe Sep 26, 2012 at 11:44 am #

    @mojoLyon quelle idee d avoir des phpmyadmins aussi 😀

    • mojoLyon Sep 26, 2012 at 11:47 am #

      @dspe Tout a fait 😉 Enfin la c’est via un mirroir en Korée, moins d’impact en Europe mais vaut mieux prevenir que guérir :)

Trackbacks/Pingbacks

  1. Выявлен факт подстановки бэкдора в код phpMyAdmin на одном из зеркал SourceForge.net | Интересное в сети - Sep 25, 2012

    […] хостинга SourceForge.net признали факт компрометации одного из серверов в системе […]

  2. Выявлен факт подстановки бэкдора в код phpMyAdmin на одном из зеркал SourceForge.net « conon print - Sep 26, 2012

    […] хостинга SourceForge.net признали факт компрометации одного из серверов в системе […]

  3. PhpMyAdmin 3.5.2.2 Backdoor | Power-Netz bloggt! - Sep 26, 2012

    […] Laut Sourceforge wurde die betroffene Datei rund 400 Mal heruntergeladen. Nachdem das Problem am 25. September 2012 bekannt wurde, hat Sourceforge den betroffenen Mirror-Server aus seinem Verteilungssystem herausgenommen. Der Betreiber des Mirror-Servers hat laut Sourceforge bereits herausgefunden, wie der Angriff erfolgte. Es sei davon auszugehen, dass nur dieser einzelne Server betroffen ist. […]

  4. 1081009 | พบ backdoor บน phpMyAdmin ที่อยู่บน SourceForge คาดไฟล์ถูกแฮกเกอร์แก้ไข | ร้อยแปดพันเก้า.com 1081009 - Sep 26, 2012

    […] – phpMyAdmin Security, SourceForge via […]

  5. Michal Čihař: Compromised SourceForge mirror | PHP World - Sep 26, 2012

    […] exploit could not be alive before 22th September 2012) and not on much frequent mirror (based on SourceForge official statement about 400 users have downloaded the file with […]

  6. phpMyAdmin mit Backdoor | Edv-Sicherheitskonzepte.de – News Blog aus vielen Bereichen - Sep 26, 2012

    […] von SourceForge eine manipulierte Version des Datenbankverwaltungstools phpMyAdmin zu verteilten, die eine Backdoor enthält. Die Hintertür befand sich in dem Installationsarchiv […]

  7. Wel. R. Braga » Backdoor no phpMyAdmin verifique a sua versão - Sep 26, 2012

    […] nota oficial do Sourceforge sobre o assunto segue neste link  phpMyAdmin Back Door | SourceForge Community Blog e a nota oficial do grupo de desenvolvimento do PhpMyAdmin está neste aqui PMASA-2012-5. […]

  8. ste williams » SourceForge mirror cracked: Served admin tool with gaping backdoor - Sep 26, 2012

    […] was available for three days from 22 September until its discovery on 25 September, according to a statement by SourceForge, which said the tainted code was only served from its Korean mirror. The motives, […]

  9. Easy Windows Checksum | Robert Meffe's Weblog - Sep 26, 2012

    […] Easy Windows Checksum  General, Programming  Add comments Sep 262012   After the recent “attack” from a mirror site of Source Forge. I decided I also need to check MD5 check-sums on windows machines. You can read about the “backdoor” that was added into phpMyAdmin here: http://sourceforge.net/blog/phpmyadmin-back-door/ […]

  10. SourceForge mirror compromised, backdoor slipped into phpMyAdmin | PHP OOPS – PHP Development - Sep 26, 2012

    […] SourceForge server in question was cdnetworks-kr-1, a Korean mirror. In a separate post by the SourceForge team, it confirmed that the owner of the mirror identified a breach of its systems “on or around […]

  11. phpMyAdmin distributed with backdoor | IDcolo Blog - Sep 26, 2012

    […] attackers have managed to distribute a modified version of the open source phpMyAdmin database management tool that contained a […]

  12. phpMyAdmin corrupted copy on Korean mirror server | the Security Factory - Sep 26, 2012

    […] from the ‘cdnetworks-kr-1′ mirror in Korea. This mirror was immediately removed from rotation: http://sourceforge.net/blog/phpmyadmin-back-door/ This entry was posted in Uncategorized by Stijn. Bookmark the […]

  13. Backdoor do phpMyAdmin no SourceForge | InterSowa - Sep 26, 2012

    […] Mais informações no link. […]

  14. Malicious Copy of MySQL Tool Distributed Through SourceForge Mirror - Fundamental Technology Partners Inc. - Sep 26, 2012

    […] a corrupted copy of phpMyAdmin being served from the ‘cdnetworks-kr-1′ mirror in Korea,” according to SourceForge. “This mirror was immediately removed from rotation. The mirror provider has confirmed the […]

  15. SourceForge distributes phpMyAdmin with backdoor after mirror hacked | LIVE HACKING - Sep 27, 2012

    […] has stopped using one of its mirrors in Korea after the popular open source website was alerted to a corrupted copy of phpMyAdmin being served from that site. The ‘cdnetworks-kr-1′ mirror in Korea was immediately removed […]

  16. SourceForge serves up malware-infected phpMyAdmin toolkit » Cyber Crimes Unit | Cyber Crimes Unit - Sep 27, 2012

    […] just being careful isn’t always enough. Both phpMyAdmin and SourceForge have published security alerts confirming that the official phpMyAdmin 3.5.2.2 distribution was […]

  17. Backdoor Berbahaya phpMyAdmin ditemukan di SourceForge | Cybrog - Sep 27, 2012

    […] Update: http://sourceforge.net/blog/phpmyadmin-back-door/ Notice: http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php Affected Versions […]

  18. SourceForge aptiko saugumo skylę phpMyAdmin archyve | ww.lt - keletas įdomių blogų pasiskaitymui - Sep 27, 2012

    […] Šaltinis: ArsTechnica, SourceForge […]

  19. Malicious Copy of MySQL Tool Distributed Through SourceForge Mirror | PHP OOPS – PHP Development - Sep 27, 2012

    […] copy of phpMyAdmin being served from the ‘cdnetworks-kr-1′ mirror in Korea,” according to SourceForge. “This mirror was immediately removed from rotation. The mirror provider has confirmed the […]

  20. Compromised phpMyAdmin download reinforces importance of verifying checksums | CD DISK - Sep 27, 2012

    […] were notified. According to SourceForge, the malicious phpMyAdmin package was downloaded a mere 400 times from the Korean download mirror. Further, the number of live websites using that backdoor-laden […]

  21. Выявлен факт подстановки бэкдора в код phpMyAdmin на одном из зеркал SourceForge.net | SCRIPTS73 - Sep 28, 2012

    […] хостинга SourceForge.net признали факт компрометации одного из серверов в системе […]

  22. phpMyAdmin backdoor - Irregular Expressions - Sep 29, 2012

    […] http://sourceforge.net/blog/phpmyadmin-back-door/ […]

  23. Backdoor in una Versione di phpMyAdmin Ospitata su SourceForge | PillolHacking.Net - Sep 30, 2012

    […] notizia inizia a circolare il 25 Settembre, quando i responsabili di SourceForge si accorgono che uno dei loro mirror è stato attaccato, ed è diventato vettore per la […]

  24. > Backdoor in una Versione di phpMyAdmin Ospitata su SourceForge | Giornale Blog - Sep 30, 2012

    […] notizia inizia a circolare il 25 Settembre, quando i responsabili di SourceForge si accorgono che uno dei loro mirror è stato attaccato, ed è diventato vettore per la […]

  25. The Indelible Bonobo Experience - Oct 1, 2012

    […] immediately removed from rotation,” Rich Bowen, the Community Growth Hacker at SourceForge, confirmedon the site’s […]

  26. Questions abound as malicious phpMyAdmin backdoor found on SourceForge site - PHP web application, Joomla, ecommerce website development - PHP OOPS – PHP Development - Oct 4, 2012

    […] In a blog post, SourceForge officials said they believe only the affected phpMyAdmin-3.5.2.2-all-languages.zip […]

  27. Dealing with WordPress Malware | Sucuri Blog - Oct 11, 2012

    […] phpMyAdmin Corrupt Mirror – September 2012 – A mirror was compromised and a simple pass through shell like the one shown in the demonstrated was used to infiltrate the server. […]

Leave a Reply