One of our customers is running an old, but stable 😉 Ubuntu Dapper Server that recently got hacked.
The whole system acted totally normal, except for the fact that it ran ssh brute force attacks against several randomly chosen remote servers. So what happened?
The attacker used a vulnerability in phpMyAdmin, which once had been installed, used one or two times, and then forgotten (version 2.10.xx or so..). Sadly enough, whoever installed phpMyAdmin did not remove the setup.php file (which you are encouraged to do in the readme). This setup.php was the attackers starting point. He/she injected a ssh client running as root in /tmp/dd_ssh that started about 100 child processes.
What I did was the following:
- Removed phpMyAdmin
- Removed all suspicious files in /tmp
- Restarted the network interfaces
- Changed all user passwords
- Installed fail2ban
- Changed /tmp to be non-executable
So my suggestions for today:
- Keep your phpMyAdmin up to date
- Search for installations on all your servers NOW! 😉
- Do NOT install in a folder named “phpmyadmin”, “sqladmin” or similar. Use a non-guessable name.
- Protect it at least using htaccess
- Last but not least: if you can access your server via ssh, there’s no need for phpMyAdmin. Setup a ssh tunnel, use your favourite mySQL GUI, and bingo, you’re safe.