The popular open-source repository SourceForge is investigating how a corrupted copy of phpMyAdmin came to be served from a Korean-based mirror. Logs indicate 400 users downloaded the malicious file before it was removed from rotation today.
“One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified,” according to the site phpMyAdmin.
The database administration tool is used for the open-sourced, Web-based MySQL. SourceForge officials believe at present only the phpMyAdmin-18.104.22.168-all-languages.zip package was affected.
The backdoor appears to have been introduced on or around September 22, according to a notice from the SourceForge Team.
“Through logs, we have identified that approximately 400 users downloaded this corrupted file. Notice of this corrupted file has been transmitted through security notice by the phpMyAdmin project and direct email to those users we were able to identify through our logs. The corrupted copy included malicious code allowing arbitrary commands by the Web server user.
“It is our recommendation that downloaders of this corrupted file (which contains ‘server_sync.php’) assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy,” according to the warning. “Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled. Examination of web logs and other server data should help confirm whether this backdoor was accessed.”