Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Support For New Security Threat In Ez Admin Helper Rate Topic   - - - - -

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11358 posts

Posted 28 April 2019 - 06:42 PM #1

I noticed on a couple of my client sites the presence of a new malware file.  It is located in the document root of the store and is called 'adminer.php'.   Comments read as follows:
 

/** Adminer - Compact database management
* @link https://www.adminer.org/
* @author Jakub Vrana, http://www.vrana.cz/
* @copyright 2007 Jakub Vrana
* @license http://www.apache.org/licenses/LICENSE-2.0 Apache License, Version 2.0
* @license http://www.gnu.org/licenses/gpl-2.0.html GNU General Public License, version 2 (one or other)
* @version 4.2.5
*/

We have added support for diabling this file to our EZ Admin Helper addon.  It is available in version 4.9.33.  If you are a current EZ Admin Helper addon customer, you should be upgraded automatically in the next couple of days.  If you want to force the upgrade, you can use the following URL

[your_admin_url]?dispatch=ez_maint.upgrade.force

which will force the upgrade to happen immediately.

 

If anyone wants to (or has the time to) unpack this file and publish what it does, feel free to contact me and I'll get you a copy.

 


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11358 posts

Posted 28 April 2019 - 06:52 PM #2

EZ Admin Helper addon has been updated to detect and inoculate a new trojan malware file named adminer.php

 

If you are a current client, you will be automatically upgraded (as with all our addons) in the next couple of days.  I you want to upgrade immediately, use the following url to force the upgrade.

[your admin url]?dispatch=ez_maint.upgrade.force

 

Did not have time to unpack the affected file to see exactly what it does.  But it seems to accept commands from GET parameters and most likely accesses user and order data from your database.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • CS-Cart team
  • CS-Cart support team
  • Moderators
  • Join Date: 04-Apr 11
  • 3808 posts

Posted 29 April 2019 - 01:00 PM #3

I noticed on a couple of my client sites the presence of a new malware file.  It is located in the document root of the store and is called 'adminer.php'.   Comments read as follows:
 

/** Adminer - Compact database management
* @link https://www.adminer.org/
* @author Jakub Vrana, http://www.vrana.cz/
* @copyright 2007 Jakub Vrana
* @license http://www.apache.org/licenses/LICENSE-2.0 Apache License, Version 2.0
* @license http://www.gnu.org/licenses/gpl-2.0.html GNU General Public License, version 2 (one or other)
* @version 4.2.5
*/

We have added support for diabling this file to our EZ Admin Helper addon.  It is available in version 4.9.33.  If you are a current EZ Admin Helper addon customer, you should be upgraded automatically in the next couple of days.  If you want to force the upgrade, you can use the following URL

[your_admin_url]?dispatch=ez_maint.upgrade.force

which will force the upgrade to happen immediately.

 

If anyone wants to (or has the time to) unpack this file and publish what it does, feel free to contact me and I'll get you a copy.

 

Do you mean this database manager or is it some actual malware renamed to adminer.php that has same comments as the original Adminer script?

 

We often use Adminer when we need to access the database and as far as I understand, many third-party developers use it as well.


Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • Darius
  • Douchebag
  • Members
  • Join Date: 20-Apr 08
  • 3290 posts

Posted 29 April 2019 - 02:01 PM #4

yea and sometimes your colleagues forget to remove it..

 

Do you mean this database manager or is it some actual malware renamed to adminer.php that has same comments as the original Adminer script?

 

We often use Adminer when we need to access the database and as far as I understand, many third-party developers use it as well.



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11358 posts

Posted 29 April 2019 - 05:19 PM #5

As I said, it's encoded so I have no idea what it's doing.  But I'm the primary developer on these sites and if other developers are leaving DB access files in the root of my customer's stores, then I think think that's a security issue and trust issue.  Note also that the modification date on one of my client's sites was from a couple of years ago, but the 'c_time' of the file was from 4/15/19.  My other client had a 4/15/19 date as well.  That's what causing me to be suspicious.

 

If you want to review it, send me and email at support at ez-ms dot com and I'll zip it and send it to you.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11358 posts

Posted 29 April 2019 - 05:21 PM #6

Do you mean this database manager or is it some actual malware renamed to adminer.php that has same comments as the original Adminer script?

 

We often use Adminer when we need to access the database and as far as I understand, many third-party developers use it as well.

 

 

Leaving database access files on sites after you're done is a pretty big security issue.  How do we get your support people to clean up after themselves then?

 

I'm going to leave my inoculation in place in EZ Admin Manager since it will then clean up behind you.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • CS-Cart team
  • CS-Cart support team
  • Moderators
  • Join Date: 04-Apr 11
  • 3808 posts

Posted 29 April 2019 - 07:11 PM #7

Leaving database access files on sites after you're done is a pretty big security issue.  How do we get your support people to clean up after themselves then?

 

I'm going to leave my inoculation in place in EZ Admin Manager since it will then clean up behind you.

 

 

We usually delete such scripts after examining the installation, but the Adminer script is commonly used not only by our team. So it is reasonable to have such check, although the database cannot be accessed without authorization.


Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • poppedweb
  • Authorized Reseller
  • Members
  • Join Date: 02-Aug 16
  • 547 posts

Posted 29 April 2019 - 08:14 PM #8

We usually delete such scripts after examining the installation, but the Adminer script is commonly used not only by our team. So it is reasonable to have such check, although the database cannot be accessed without authorization.

 

Yeah but that is nothing more than including the config.local.php file -_-


PoppedWeb | sales@poppedweb.com | https://poppedweb.com
TurnKey Website Design | Add-Ons | Performance Audits | Dedicated Server Management
24/7 Support | Response within an hour (during working hours).