Educause Security Discussion mailing list archives
Re: Compromised version of phpMyAdmin contains backdoor
From: Chuck Braden <j-braden () TAMU EDU>
Date: Thu, 27 Sep 2012 14:58:30 +0000
Sorry, I guess I missunderstood the question. In answer to your question about other content on that mirror host, I have not seen anything else identified. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chuck Braden Sent: Thursday, September 27, 2012 9:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromised version of phpMyAdmin contains backdoor Latest update seems to only indicate that only the cdnetworks-kr-1 mirror was affected. http://nakedsecurity.sophos.com/2012/09/27/sourceforge-serves-up-malware-inf ected-phpmyadmin-toolkit/ The silver lining is that only the Korean mirror cdnetworks-kr-1 had the malicious version: One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified. Jimmy C Braden Information Security Officer AgriLife Information Technology 979-862-7254 j-braden () tamu edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basile, Daniel L. Sent: Tuesday, September 25, 2012 8:43 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Compromised version of phpMyAdmin contains backdoor Absolutely not. That is one of the major concerns. -Dan Basile On Sep 25, 2012, at 8:19 PM, "Valdis Kletnieks" <Valdis.Kletnieks () VT EDU> wrote:
On Tue, 25 Sep 2012 20:56:14 -0000, Chuck Braden said:If you are running phpMyAdmin, and have recently performed an update, you might have a compromised version. In short, any version that was downloaded from the SourceForge Mirror site - cdnetworks-kr-1Has anybody established that's the *only* thing pwned on that SourceForge
mirror?
Attachment:
smime.p7s
Description:
Current thread:
- Compromised version of phpMyAdmin contains backdoor Chuck Braden (Sep 25)
- Re: Compromised version of phpMyAdmin contains backdoor Valdis Kletnieks (Sep 25)
- Re: Compromised version of phpMyAdmin contains backdoor Basile, Daniel L. (Sep 25)
- Re: Compromised version of phpMyAdmin contains backdoor Chuck Braden (Sep 27)
- Re: Compromised version of phpMyAdmin contains backdoor Chuck Braden (Sep 27)
- Re: Compromised version of phpMyAdmin contains backdoor Basile, Daniel L. (Sep 25)
- Re: Compromised version of phpMyAdmin contains backdoor Valdis Kletnieks (Sep 25)