Keep your phpMyAdmin installations up to date!
There is a hack in phpMyAdmin, we have seen various blogs and hosts in panic, thankfully Laws Hosting wasn’t affected as we take extra measures in the way we install phpMyAdmin on our servers.
What we heard is that the systems acted totally normal, except for the fact that it ran ssh brute force attacks against several randomly chosen remote servers. So what happened?
The attacker used a vulnerability in phpMyAdmin, which once had been installed, used one or two times, and then forgotten (version 2.10.xx or so..). Sadly enough, whoever installed phpMyAdmin did not remove the setup.php file (which you are encouraged to do in the readme). This setup.php was the attackers starting point. He/she injected a ssh client running as root in /tmp/dd_ssh that started about 100 child processes.
The cleanup was as follows:
- Removed phpMyAdmin
- Removed all suspicious files in /tmp
- Restarted the network interfaces
- Changed all user passwords
- Installed fail2ban
- Changed /tmp to be non-executable
Suggestions for today:
- Keep your phpMyAdmin up to date
- Search for installations on all your servers NOW!
- Do NOT install in a folder named “phpmyadmin”, “sqladmin” or similar. Use a non-guessable name.
- Protect it at least using htaccess
- Last but not least: if you can access your server via ssh, there’s no need for phpMyAdmin. Setup a ssh tunnel, use your favourite mySQL GUI, and bingo, you’re safe.
We advise our clients not to install their own phpMyAdmin on their domains, and just use our versions that we supply.
