SourceForge Mirror Distributed phpMyAdmin Software Loaded With Backdoor
By Steve Ragan | September 26, 2012



On Tuesday, SourceForge and the phpMyAdmin project reported that one of their mirrors was serving a compromised version of the MySQL management application. The investigation is ongoing SourceForge said, but it is believed that the number of potential victims were small.

The mirror was in Korea, and the compromised version of phpMyAdmin was downloaded 400 times before the incident was detected. The hijacked download contained a backdoor that would allow a remote attacker access to the host, and the ability to issue commands via PHP.

"One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor," the phpMyAdmin web site explained. "This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified."

“On September 25th, SourceForge became aware of a corrupted copy of phpMyAdmin being served from the ‘cdnetworks-kr-1′ mirror in Korea. This mirror was immediately removed from rotation,” SourceForge reported in a blog post.

The mirror’s operator confirmed the breach, and immediately disabled the mirror. While it is believed only the Korean mirror’s download was modified, SourceForge is continuing to check the others. As of Wednesday, the mirror remains out of rotation.

“Through logs, we have identified that approximately 400 users downloaded this corrupted file. Notice of this corrupted file has been transmitted through security notice by the phpMyAdmin project and direct email to those users we were able to identify through our logs,” SourceForge added.

It’s been advised by both the phpMyAdmin project and SourceForge that anyone who downloaded a copy of the software between September 22 and the 25th assess their risk and if need be download a new copy.