A screenshot of a system containing a malicious backdoor that was snuck into the open-source phpMyAdmin package. Researchers said the file date may be fraudulent.

Developers of phpMyAdmin warned users they may be running a malicious version of the open-source software package. The message comes after developers discovered backdoor code was snuck into a package being distributed over the widely used SourceForge repository.

The backdoor contains code that allows remote attackers to take control of the underlying server running the modified phpMyAdmin (a Web-based tool for managing MySQL databases), said HD Moore, CSO of Rapid7. The PHP script is found in a file named server_sync.php, and it reads PHP code embedded in standard POST Web requests then executes it. This allows anyone who knows the backdoor is present to execute code of his choice. Moore, who is also chief architect of the Metasploit exploit package for penetration testers and hackers, told Ars a module has already been added that tests for the vulnerability.

The backdoor is concerning because it was distributed on one of the official mirrors for SourceForge. SourceForge hosts more than 324,000 open-source projects, serves more than 46 million consumers, and handles more than four million downloads each day. SourceForge officials didn’t respond to e-mails seeking details for this article, so crucial questions remain unanswered. It’s still unclear, for instance, if the compromised server hosted other maliciously modified software packages, if other official SourceForge mirror sites were also affected, and if the central repository that feeds these mirror sites might also have been attacked.

Read 5 remaining paragraphs | Comments

via Ars Technica » Technology Lab http://feeds.arstechnica.com/~r/arstechnica/technology-lab/~3/LjmYeh8HDn0/

Advertisements