Stay Connected

PERSONAL BLOG

Secure phpMyAdmin Against PLEASE_READ_XMG Ransomware

This series will cover following;
1-What is PLEASE_READ_XMG Ransomware
2-Update phpMyAdmin.
3-Change phpMyadmin Default Login Path.
4-Authentication Gateway for phpMyAdmin (Upcoming).
5-Install HTTPS (SSL Certificates) to Secure phpMyAdmin login (Upcoming).
6-Change MariaDB Default Port (Upcoming).
6-Clean PLEASE_READ.WARNING (Upcoming).

This series demonstrate how to secure & update phpMyAdmin, change default access URL, add an authentication gateway that requires an extra set of credentials before logging in, change its default port adn install ssl cert. This tutorial is aimed at phpMyAdmin running with Nginx Web Server on CentOS 7 and VestaCP.

In 2019, phpMyAdmin has been the target of random attacks from botnets. For that reason, you should keep phpMyAdmin updated, as it will have the latest patches against recent exploits, and secure it against automated attacks by adding extra layers of security.

An attacker could leverage a vulnerability such as; directory traversal, or using SQL Injection to call load_file()  to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. As a pentester I have used this attack pattern to compromise a system.

  • DO NOT ALLOW REMOTE ROOT LOGINS! Configure phpmyadmin to use (Cookie Auth) to limit what user can access the system. If you need some root privileges, create a custom account that can add/drop/create but does not have grant or file_priv.
  • Remove file_priv permissions from every account.  file_priv is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor.
  • Whitelist IP address who have access to the phpmyadmin interface.
  • Do not have a predictable file location like: http://127.0.0.1/phpmyadmin. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.
  • Firewall off tcp port 3306 so that it cannot be accessed by an attacker.
  • Use HTTPS (SSL Certificates) to Secure PhpMyAdmin Login, otherwise data and passwords can be leaked to an attacker.

PLEASE_READ_XMG.WARNING Attack

This attack deletes all the databases and replaces with a table name WARNING containing “To recover your lost data SEND BTC”. One of the people that have first detected the attack has written a detailed description. With the anonymity of digital currencies such as Bitcoin, ransomware attacks have risen rapidly in recent years, posing serious threats to businesses and individuals. Every MySQL server facing the internet is prone to this attack, so ensure your servers are hardened. Also, make sure your servers require authentication and that strong passwords are in use. Minimizing internet facing services, particularly those containing sensitive information is also a good practice.

A exploited database looks like;

Update phpMyAdmin Latest Version

sudo yum install phpmyadmin
sudo cd /usr/share
sudo rm -rf phpmyadmin

Use wget to download the latest phpMyAdmin version. You can find the packages with the latest version here phpMyAdmin – Downloads. The current latest version at the time of writing is 4.8.5, so we’ll download that one:

sudo wget -P /usr/share/ https://files.phpmyadmin.net/phpMyAdmin/4.8.5/phpMyAdmin-4.8.5-english.zip
sudo unzip phpMyAdmin-4.8.5-english.zip

Finally we rename the unzipped folder ‘phpMyAdmin-4.8.5-english ‘to ‘phpmyadmin’

sudo mv phpMyAdmin-4.8.5-english phpmyadmin

Important: If you log into phpMyAdmin now, you’ll see two errors:

1-The configuration file now needs a secret passphrase (blowfish_secret).
2-The $cfg[‘TempDir’] (./tmp/) is not accessible. phpMyAdmin is not able to cache templates and will be slow because of this.

To fix the first error, just run the following:

sudo cd /usr/share/phpmyadmin
sudo cp config.sample.inc.php config.inc.php

Now you’ll have to add a Blowfish Secret in config.inc.php. To do this, visit the following link to generate a Blowfish Secret https://www.motorsportdiesel.com/tools/blowfish-salt/pma/. Copy the secret so we can paste it into config.inc.php.

When you’ve copied it, open the file config.inc.php and paste in the Blowfish Secret section $cfg[‘blowfish_secret’] = ‘PASTE HERE’

sudo nano config.inc.php

Save and close the file.

Lastly, we need to create a tmp directory for phpMyAdmin and give ownership over it:

sudo mkdir tmp
sudo chown -R www-data:www-data /usr/share/phpmyadmin/tmp

Well done. You’ve not upgraded your phpMyAdmin to the latest version

Change phpMyAdmin Login Page

As attackers will probe for common locations on any software they’re trying to hack, we’ll change the default path
http://domain_or_IP/phpmyadmin to https://domain_or_IP/somethingunexpected
open /etc/httpd/conf.d/phpMyAdmin.conf if in CentOS or /etc/phpmyadmin/apache.conf in Debian and comment out the line(s) beginning with Alias.

———— On CentOS/RHEL and Fedora ————
 sudo nano /etc/httpd/conf.d/phpMyAdmin.conf

———— On Debian and Ubuntu ————
sudo nano /etc/phpmyadmin/apache.conf

Then add a new one as follows:
# Alias /phpmyadmin /usr/share/phpmyadmin
Alias /my /usr/share/phpmyadmin

In the same file, make sure the Require all granted directive is included inside the Directory /usr/share/phpmyadmin block. On the Nginx web server, we just need to create a symbolic link of phpMyAdmin installation files to our Nginx document root directory (i.e. /usr/share/nginx/html) by typing the following command:

sudo ln -s /usr/share/phpMyAdmin /usr/share/nginx/html
OR
sudo ln -s /usr/share/phpmyadmin /usr/share/nginx/html

Now we need to change the URL of our phpMyAdmin page, we simply need to rename the symbolic link as shown:

sudo cd /usr/share/nginx/html# mv phpmyadmin my
OR
sudo mv phpMyAdmin my

Finally, restart Nginx and PHP-FPM to apply changes and point your browser to http://<ip address>/my.

———— On CentOS/RHEL and Fedora ————

systemctl restart nginx

systemctl restart php-fpm

———— On Debian and Ubuntu ————

systemctl restart nginx

systemctl restart php5-fpm

It should open the phpmyadmin, whereas http://<ip address>/phpmyadmin should result in a Not Found error page.

Do not login using the database root user’s credentials yet. You don’t want those credentials going through the wire in plain text, so in the next tip we will explain how to setup a self-signed certificate for PhpMyAdmin login page.

Referance URLs;
http://www.wooolong.com/blog/19.html
https://www.liangzl.com/get-article-detail-124313.html
https://www.tecmint.com/change-secure-phpmyadmin-login-url-page/
https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-with-apache-on-a-centos-7-server
https://www.niagahoster.co.id/kb/cara-mengubah-url-phpmyadmin-vestacp
https://wp-dreams.com/articles/2015/01/phpmyadmin-beginners-guide-to-digital-ocean/
https://forum.vestacp.com/viewtopic.php?t=6235
https://www.cyberciti.biz/faq/change-default-mysql-port-under-linuxunix/
https://www.auditmypc.com/csrss.asp
https://stackoverflow.com/questions/2631269/how-to-secure-phpmyadmin
https://draculaservers.com/tutorials/update-secure-phpmyadmin/
https://www.guardicore.com/2017/02/0-2-btc-strikes-back-now-attacking-mysql-databases/

Adnan Sattar

A self-driven productive Software Engineer who thrives in highly pressurized and challenging working environments by constantly improving skills. Eager to grasp new ideas and concepts from the environment.

Leave a Reply

Recent Comments

    Stay Connected

    Instagram Feed

    Categories

    ×
    %d bloggers like this: