Can't login to phpmyadmin (possibly related to a phpMyAdmin vulnerability)

Discussion in 'General' started by voidzero, Jun 13, 2009.

  1. voidzero

    voidzero New Member

    Hi,

    For some reason my server crashed. When I brought it back up I found no real problems or inconsistencies, but when tried to visit phpmyadmin I get:

    1045 - Access denied for user 'root'@'localhost' (using password: NO)
    Invalid hostname for server 1. Please review your configuration.

    Any way to solve this?
     
  2. voidzero

    voidzero New Member

    By the way, this shows everytime, i can't even try to login, it happens as soon as i open phpmyadmin.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Make sure that you close all browser windows and then open the browser again before you connect to phpmyadmin.
     
  4. manarak

    manarak Member

    I have exactly the same problem.

    It appeared out of nowhere, maybe after I did an update.

    I tried what you suggested, but it seems clear that this is a server problem.
     
  5. voidzero

    voidzero New Member

    No workieworkie - workaround provided

    exactly, manarak!

    Anyway, what I did as a workaround was:

    1. Edit /var/lib/phpmyadmin/config.inc.php;
    2. Change the option value 'config' to 'cookie'.

    I'm still getting the error "Invalid hostname for server 1. Please review your configuration." but at least I can login again.
     
  6. manarak

    manarak Member

    cool, thanks - it would still be interesting to find out what broke phpmyadmin though.
     
  7. manarak

    manarak Member

    ok, it looks like the config file was changed, the hostname is commented out and there is a phpinfo(); in its place.

    that could be an injection attack ?

    is there a known vulnerability?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Which software do you mean? ISPConfig or phpmyadmin? In ISPConfig there are no known vulnerabilities.

    Which config file was changed?
     
  9. manarak

    manarak Member

  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Make sure that you install all available debian updates. phpmyadmin is part of debian and not part of ispconfig.
     
  11. manarak

    manarak Member

    my server has always been updated less than 12 hours after new versions were out.

    it is just frightening!!

    two weeks ago I have been infected with very nasty troyans on the PC inspite of an up-to-date antivirus.

    then there are those nasty hidden iframe viruses out...


    the internet has become VERY DANGEROUS in the last months!
     
    Last edited: Jun 16, 2009
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, then it might be that there is no patch availabe for this vulnerability from debian yet. Sad but might always happen. Scan your system with rkhunter and chrootkit and check if there are any other modifications. Also you should consider to deactivate phpmyadmin temporarily.
     
  13. manarak

    manarak Member

    if I chmod the config file to 440, that should stop the attack, no?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Its at least worth a try.
     
  15. manarak

    manarak Member

    could you please change the thread topic and add [phpMyAdmin vulnerability] in front of it?
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    I changed the topic, but thats the problem if you post to other threads instead of making a new one. The original poster had a login problem with phpmyadmin and this does not nescessarily mean that his system had been hacked like yours.
     
  17. manarak

    manarak Member

    the probability that he has been injected like me is 99%

    the injection does modify the hostname entry in the config file, and his problem appeared out of nowhere in the last days...
    Now how big a coincidence is that??
     
  18. peterspoon

    peterspoon New Member

    Same issue here. Debian Lenny, last updates. Config file has been modified! Looks serious!!!
     
    Last edited: Jun 20, 2009
  19. manarak

    manarak Member

    read the description of the vulnerability: "arbitrary code execution"
    need I say more?
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    If debian does not release a bugfix for that, you should either remove phpmyadmin or protect it with a .htaccess file or install your own copy from sources without using the debian package.
     

Share This Page