phpMyAdmin v3.5.2.2 backdoor
Description
A compromised SourceForge mirror (cdnetworks-kr-1) distributed a malicious version of phpMyAdmin 3.5.2.2 containing a backdoor. The backdoor was injected into a file named 'server_sync.php' (which does not exist in legitimate phpMyAdmin distributions) and allows remote code execution without authentication. An additional file, 'js/cross_framing_protection.js', was also modified. This supply chain attack affected the phpMyAdmin-3.5.2.2-all-languages.zip archive downloaded from the compromised mirror during the attack window.
Remediation
Immediately verify the integrity of your phpMyAdmin installation by checking for the presence of 'server_sync.php' in the root directory. If this file exists, your installation is compromised and must be remediated:
1. Take the affected phpMyAdmin instance offline immediately
2. Download a fresh copy of phpMyAdmin 3.5.2.2 or later from the official phpMyAdmin website (https://www.phpmyadmin.net/) or a verified trusted mirror
3. Verify the download using published checksums or GPG signatures
4. Completely remove the compromised installation and replace it with the verified clean version
5. Review web server and database logs for suspicious activity or unauthorized access during the period the backdoor was present
6. Change all database passwords and review user accounts for unauthorized modifications
7. Consider performing a security audit of your database and web server to ensure no additional compromise occurred