SourceForge mirror compromised, backdoor slipped into phpMyAdmin

One of SourceForge's mirrors was compromised this week, unwittingly serving users a version of phpMyAdmin containing a backdoor.
Written by Michael Lee, Contributor

Users have been tricked into downloading a compromised version of phpMyAdmin that contains a backdoor.

The free software, written in PHP, provides administrators with a way to manage their MySQL instances via a browser, rather than connecting directly to the server's SQL command line.

In an announcement by phpMyAdmin, users are being warned that one of the SourceForge mirrors that host the software for others to download was compromised, and was distributing the software with a backdoor.

"This backdoor is located in file server_sync.php, and allows an attacker to remotely execute PHP code," phpMyAdmin said in its announcement. "Another file, js/cross_framing_protection.js, has also been modified."

The SourceForge server in question was cdnetworks-kr-1, a Korean mirror. In a separate post by the SourceForge team, it confirmed that the owner of the mirror identified a breach of its systems "on or around September 22."

SourceForge has since removed the mirror from the pool of servers that users can download hosted files from, but not before a number of users downloaded the modified version of the phpMyAdmin package.

"Through logs, we have identified that approximately 400 users downloaded this corrupted file. Notice of this corrupted file has been transmitted through security notice by the phpMyAdmin project and direct email to those users we were able to identify through our logs."

According to phpMyAdmin, users can easily detect whether their package was one of those compromised by seeing if it contains the file server_sync.php, while SourceForge advised those who had already installed the package that an examination of their web logs and other server data should help confirm whether a backdoor was accessed.

Editorial standards