Malicious phpMyAdmin served from SourceForge mirror

A malicious version of the open source Web-based MySQL database administration tool phpMyAdmin has been discovered on one of the official mirror sites of SourceForge, the popular online code repository for free and open source software.

The phpMyAdmin team was notified of the issue by the Tencent Security Response Center, and they immediately put up a warning for its users. Then they proceeded to alert the team at SourceForge, who mounted an investigation into the matter.

“On September 25th, SourceForge became aware of a corrupted copy of phpMyAdmin being served from the “cdnetworks-kr-1′ mirror in Korea. This mirror was immediately removed from rotation,” Rich Bowen, the Community Growth Hacker at SourceForge, confirmed on the site’s blog.

“The mirror provider has confirmed the attack vector has been identified and is limited to their mirror; with exploit having occurred on or around September 22nd.”

The file – phpMyAdmin-3.5.2.2-all-languages.zip – was modified to include a backdoor that allowed attackers to remotely execute PHP code on the server running the malicious version of phpMyAdmin.

According to their logs, some 400 users downloaded the corrupted file, and those who could be tracked down via those logs were immediately alerted.

“Downloaders are at risk only if a corrupt copy of this software was obtained, installed on a server, and serving was enabled. Examination of web logs and other server data should help confirm whether this backdoor was accessed,” Bowen instructs.

“It is our recommendation that downloaders of this corrupted file (which contains “server_sync.php’) assess risk and take action as they deem appropriate, including deletion of the corrupted file and downloading a fresh copy.”

At the time being, it seems that only that one file was corrupted, but the investigation continues.