November 24, 2014

SourceForge distributes phpMyAdmin with backdoor after mirror hacked

(LiveHacking.Com) – SourceForge has stopped using one of its mirrors in Korea after the popular open source website was alerted to a corrupted copy of phpMyAdmin being served from that site. The ‘cdnetworks-kr-1′ mirror in Korea was immediately removed from rotation when it was discovered that the mirror had been hacked (via a yet as unknown vector) and started serving a modified copy of phpMyAdmin-3.5.2.2-all-languages.zip with a built-in backdoor which allowed the execution of arbitrary commands.

According to an advisory posted on the phpMyAdmin  website, the backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.

SourceForge has examined its logs and has identified around 400 users who downloaded the hacked file. Where possible SourceForge has send emails to those users if they were able to identify them through the logs.

SourceForge is currently conducting additional validation to confirm that only one file was modified on the ‘cdnetworks-kr-1′ mirror and they will post an update once this process is complete. For the moment the mirror remains out of rotation.

Anyone concerned that they may have downloaded a corrupt version of the popular MySQL administration software should check the phpMyAdmin distribution and download it again from a trusted mirror if it contains the file server_sync.php.

 

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks