Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - phpMyAdmin Scans InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

phpMyAdmin Scans

Published: 2009-06-21
Last Updated: 2009-06-23 12:47:11 UTC
by Scott Fendley (Version: 2)
0 comment(s)

Happy Fathers Day (at least those in the USA),

Earlier today one of our readers (Thanks Alice) noticed that there was a lot more activity related to one of her servers which was running phpMyAdmin.  Upon further investigation it appears that her server had been compromised by exploitation of the vulnerability detailed in PMASA-2009-4.  The attacker uploaded a lot of the same old types of tools such as a misnamed EnergyMech IRC bot, a perl based UDP flooding tool, and an automated tool to attempt phpMyAdmin.

It is now past time to update to phpMyAdmin 3.1.3.2 and/or updating firewall rules to limit the public Internet from touching this web application.

 

Updated: Monday 06/22/2009 22:30 UTC

I have heard more reports locally about activity which seems to point to phpMyAdmin scanning and exploitation.  I haven't seen a copy of the exploiting tool as of yet.  If you happen to get a copy of the tool, or get packet captures of it at work, please feel free to send to us.

Scott Fendley ISC Handler

Keywords: phpMyAdmin probe
0 comment(s)
Diary Archives