September 29, 2016

phpMyAdmin Vulnerability and Brute Force SSH Attacks

phpMyAdmin Vulnerability and Brute Force SSH Attacks

There are one or multiple large botnets that are actively exploiting a vulnerability in phpMyAdmin. This exploit in older versions (below 3.2.4) of the package allows remote code execution on the server.

According to malwarecity, these botnets have been using this exploit to upload a bot named “dd_ssh” which can be executed at root level. This bot then conducts brute force SSH attacks on random IP addresses specified by the bot herder.

Many people who have been attacked have logs showing a flood of http requests from IPs in Asia and Eastern Europe that query the version of phpMyAdmin. Upon execution the attacker drops the malicious files in /tmp/vm.c and /tmp/dd_ssh, and then start the dd_ssh service.

Read more here at malwarecity.com.

Source: [Malwarecity]