phpMyAdmin PHP Code Injection Exploit attempt on my server

This morning, when i checked my Give Back India site’s access log i found some scripts/setup.php request attempts. In fact, not ‘some’ but hundreds of them. All requests were made targeting phpMyAdmin’ installations on my server. Here are a few of them:

phpadmin/scripts/setup.php
phpMyAdmin/scripts/setup.php
xampp/phpmyadmin/scripts/setup.php
pma/scripts/setup.php
phpmyadmin2/scripts/setup.php
phpmyadmin/scripts/setup.php
phpmyadmin1/scripts/setup.php
web/phpMyAdmin/scripts/setup.php
typo3/phpmyadmin/scripts/setup.php
mysqladmin/scripts/setup.php
myadmin/scripts/setup.php
web/scripts/setup.php
phpMyAdmin-2.6.0-beta2/scripts/setup.php
phpMyAdmin-2.6.0-beta1/scripts/setup.php
phpMyAdmin-2.6.0-pl2/scripts/setup.php
phpMyAdmin-2.6.0-rc2/scripts/setup.php

… so on. As i said there are hundred of them, so i cannot list them all here.

This was an hack attempt

After Googling a bit i learned that it was a part of “phpMyAdmin PHP Code Injection Exploit” attempt. The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 2.11.9.5 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. (Ref. http://www.cvedetails.com/cve/CVE-2010-3055/)

How/Why does it work?

The most common exploit that could happen to a dedicated server is a script exploit. The hackers would pass the script some variables and commands in an http URL and the vulnerability is that the script would allow the commands to be run.

The exploit could give hacker non root access to a server. At one time some known php scripts such as phpMyAdmin, PHPBB and AWstats were vulnerable to such exploits. Then, corresponding community would know the script vulnerability and get it fixed. To read more about the ‘how and why’ of the exploit here is a good source, http://forums.atjeu.com/showthread.php?t=789.

How to protect yourself

Before installing/using any script go through all possible reviews and feedbacks about the script. Avoid using outdated or beta scripts on a production server. Well protect your private scripts and areas. Regularly check your site’s access logs and if possible set some email forwarder carrying your access logs or site errors. Whenever you find that some intruder was consistently hitting your urls think of blocking it from accessing your server altogether.

Here are some methods you can use to block unwanted user or servers by their IP addresses or addresses respectively. You need to place these rules in a .htaccess file and place this .htaccess file at the web root folder of your website.

To block by ip address:

order allow,deny
deny from 85.114.137.57
deny from 202.117.67.89
allow from all

To block a whole range of ip addresses

order allow,deny
deny from 192.168.
deny from 85.114.137.
allow from all

To block an evil ISP (Internet Service Providers)

order allow,deny
deny from some-evil-isp.com
deny from subdomain.another-evil-isp.com
allow from all

Thanks to a good articles on blocking internet attackers/leeches by John here http://blamcast.net/articles/block-bots-hotlinking-ban-ip-htaccess.

I hope this post helps many.

2 thoughts on “phpMyAdmin PHP Code Injection Exploit attempt on my server

Leave a Reply