Jump to content

Malware reported in Adminer file


kp52
 Share

Recommended Posts

I received the following from my web host in connection with a planned transfer:

Quote

We have identified the following files are infected with malware; please remove these manually for the upgrade to proceed.

/public_html/site/assets/cache/FileCompiler/site/modules/TracyDebugger/panels/Adminer/adminer-4.8.1-mysql.php, /public_html/site/modules/.TracyDebugger/panels/Adminer/adminer-4.8.1-mysql.php, /public_html/site/modules/TracyDebugger/panels/Adminer/adminer-4.8.1-mysql.php

 

ProcessWire 3.0.165
Adminer v1.1.3
Tracy v4.22.9

I've uninstalled the module, which I don't use anyway, and will be removing associated files.

KP

Link to comment
Share on other sites

Hi @kp52 - thanks for the report. Not really sure what to do - Adminer isn't spam, but I understand that hosts see it as something that can be used maliciously. In the case of this module, it's not possible to load it without being a logged in superuser - apache htaccess restrictions prevent direct access to the file.

Link to comment
Share on other sites

So... this is not a big deal by any means, but I do wonder if it might make sense to split Adminer into a separate module — one that integrates with Tracy Debugger, if installed? I get that Adminer is behind some pretty high fences here, but still. It's likely to raise some red flags, at the very least. And yes, personally I would choose to leave Adminer out, if it was possible without losing all the other goodies I get from TD.

Obviously that would be a big change, so perhaps something to consider in a future major release.

Or not. Just saying ?

  • Like 4
Link to comment
Share on other sites

@teppo - certainly not a bad idea. It's actually what I did with the Terminal panel for the same reason. However, this is the first report I've had of Adminer being flagged as spam by a host, so I might wait to see if others also have the same issue. I am hesitant because I think this is a such a useful panel - I use it many times a day - I really love the context sensitive initial view it gives depending on what you are currently viewing / editing in the admin. As well as being a great utility for getting things done, I also think it's a great learning tool for users new to PW so I'd hate to make it harder to find for new users.

  • Like 3
Link to comment
Share on other sites

3 hours ago, adrian said:

this is the first report I've had of Adminer being flagged as spam by a host

I did a bit of reading about this last night and reports are that in Adminer v4.6.2 and below there was a security hole that hackers exploited to attack WordPress and Magento sites - not sure if other platforms were vulnerable but given that Adminer is a general DB tool I assume so. But this hole was patched and consensus seems to be that recent versions of Adminer are safe. So I wonder if the OP's host has an overly broad rule that is simply flagging Adminer generally rather than detecting specific versions.

Having said that, I checked the Tracy Debugger history and the first bundled Adminer version was v4.6.3 so it was kind of a near miss. Maybe it is better that the Adminer panel is separated into its own module so that having it present on a server is more of a conscious choice. I think it's an awesome addition to Tracy so I'll be installing it for sure.

  • Like 1
Link to comment
Share on other sites

I've used Adminer in its own right now and then, it's certainly a lot less cumbersome than phpMyAdmin for simple tasks. One of the things I like about Processwire is that I rarely have to poke about in the database in any case!

I have had issues with this host (TsoHost) and modSecurity in the past with Clipper, so this may well be a matter of blanket security rules. With PW, I couldn't get the latest version of the site to run at all after uploading my local site files and database, until I disabled Tracy in my local version and re-uploaded. The "500" notices I got said something about Tracy being unable to generate a report, so I had an inkling of some connection there. I also had problems with specific pages in the past that went away when I disabled it.

The "upgrade" in question is a move from their custom cloud setup to one based on cPanel.

Thanks for your help, and for Tracy in general.

Link to comment
Share on other sites

Thanks for your research and thoughts @Robin S - much appreciated as always, but I wonder about the "near miss" you are suggesting. Given that files under /site/modules/ can't be executed directly and I have Adminer locked down to superusers only, I am wondering how that version with the vulnerability could have been exploited within a PW system? I know that nothing is ever completely secure, but wouldn't it take someone with filesystem access to be able to do any damage in this case, and if they have that, then there are lots of other ways they could do damage anyway. Am I missing something?

I'm definitely happy to hear more arguments for (or just more folks in favor of) separating it into its own module.

  • Like 1
Link to comment
Share on other sites

4 hours ago, kp52 said:

I couldn't get the latest version of the site to run at all after uploading my local site files and database, until I disabled Tracy in my local version and re-uploaded. The "500" notices I got said something about Tracy being unable to generate a report, so I had an inkling of some connection there. I also had problems with specific pages in the past that went away when I disabled it.

Sorry to hear about these issues - I'm not really sure what to suggest at the moment. If you see them again, could you possibly dig a little deeper to see if there is something in Tracy that needs fixing?

Link to comment
Share on other sites

5 hours ago, adrian said:

Given that files under /site/modules/ can't be executed directly and I have Adminer locked down to superusers only, I am wondering how that version with the vulnerability could have been exploited within a PW system?

You're right, I think the vulnerability was only able to be exploited on systems where Adminer had been left in a publicly accessible location.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...