Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: phpMyAdmin Scans SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
phpMyAdmin Scans

Happy Fathers Day (at least those in the USA),

Earlier today one of our readers (Thanks Alice) noticed that there was a lot more activity related to one of her servers which was running phpMyAdmin.  Upon further investigation it appears that her server had been compromised by exploitation of the vulnerability detailed in PMASA-2009-4.  The attacker uploaded a lot of the same old types of tools such as a misnamed EnergyMech IRC bot, a perl based UDP flooding tool, and an automated tool to attempt phpMyAdmin.

It is now past time to update to phpMyAdmin and/or updating firewall rules to limit the public Internet from touching this web application.


Updated: Monday 06/22/2009 22:30 UTC

I have heard more reports locally about activity which seems to point to phpMyAdmin scanning and exploitation.  I haven't seen a copy of the exploiting tool as of yet.  If you happen to get a copy of the tool, or get packet captures of it at work, please feel free to send to us.

Scott Fendley ISC Handler


191 Posts
ISC Handler
Jun 23rd 2009

Sign Up for Free or Log In to start participating in the conversation!