Attacks targeting phpMyAdmin?

[gkgcpanel]

an enormous DDOS attack from several IP addresses in China that are all attempting to hit phpmyadmin links to determine what the version is.

This literally brings the server to its knees. Over this past weekend, we saw over 600 thousand connection attempts. It took over 5 hours to firewall all those IP addresses (and I'm sure we got legitimate users too).

The problem however is that this is happening to all 15+ of our cPanel servers.

We want to make sure that there is no way for users to access phpmyadmin from outside of cPanel. We are going to require all users to log into their cPanel account first and then access phpMyAdmin.

Is there a way to do this? Something we can change in WHM to make sure that this is the case?

Thank you,
Peter

[cPanelDon]

To prevent confusion this topic has been split-away, i.e., separated, from a feature request for phpMyAdmin version 3.3.

[cPanelDon]

an enormous DDOS attack from several IP addresses in China that are all attempting to hit phpmyadmin links to determine what the version is.

This literally brings the server to its knees. Over this past weekend, we saw over 600 thousand connection attempts. It took over 5 hours to firewall all those IP addresses (and I'm sure we got legitimate users too).

The problem however is that this is happening to all 15+ of our cPanel servers.

We want to make sure that there is no way for users to access phpmyadmin from outside of cPanel. We are going to require all users to log into their cPanel account first and then access phpMyAdmin.

Is there a way to do this? Something we can change in WHM to make sure that this is the case?

Thank you,
Peter

In order to access the installation of phpMyAdmin that is installed by cPanel you must first be authenticated in cPanel or WHM using a valid login username and password. There is no anonymous "guest" access that would allow unauthenticated users to access the installation of phpMyAdmin that is installed by cPanel.

[MaraBlue]

In order to access the installation of phpMyAdmin that is installed by cPanel you must first be authenticated in cPanel or WHM using a valid login username and password. There is no anonymous "guest" access that would allow unauthenticated users to access the installation of phpMyAdmin that is installed by cPanel.

Continuing on with the OP's question, is there a method you would suggest that could block requests for PHPMyAdmin and yet not block valid users' access? I've thought of writing a rule for mod_security, but wasn't totally sure that valid users wouldn't also be blocked.

I've seen numerous others having this issue also, but have yet to read any suggested solutions (other than "just ignore it").

[cpanelkenneth]

Continuing on with the OP's question, is there a method you would suggest that could block requests for PHPMyAdmin and yet not block valid users' access? I've thought of writing a rule for mod_security, but wasn't totally sure that valid users wouldn't also be blocked.

I've seen numerous others having this issue also, but have yet to read any suggested solutions (other than "just ignore it").

Are the attacks hitting one of the cPanel ports, or port 80? If they are not targeting the cPanel ports then you could drop all requests for phpMyAdmin hitting port 80.

If a user has installed phpMyAdmin in his document root then those requests would be dropped as well.

[Shadyr]

Is the version of phpMyAdmin running on cPanel already patched for this?

[SECURITY] [DSA 2034-1] New phpmyadmin packages fix several vulnerabilities

The announcement states that the problems are fixed in version 3.2.4-1, but when I check the version running on my server, it says it's 3.2.4.

[cPanelDon]

Is the version of phpMyAdmin running on cPanel already patched for this?

[SECURITY] [DSA 2034-1] New phpmyadmin packages fix several vulnerabilities

The announcement states that the problems are fixed in version 3.2.4-1, but when I check the version running on my server, it says it's 3.2.4.

Please keep in mind that Debian is not an OS supported by cPanel as per the system requirements for cPanel and WHM.

Please see the following post: cPanel Forums - View Single Post - PHPMyAdmin upgrade to 3.3.0 - Re: Debian Security Advisory (DSA-2034-1)

The Debian Security Advisory (DSA-2034-1) specifically lists the following identifiers from the Common Vulnerabilities and Exposures (CVE) project:

• CVE - CVE-2008-7251 (under review)
• CVE - CVE-2008-7252 (under review)
• CVE - CVE-2009-4605 (under review)

Each CVE ID is also tracked in the National Vulnerability Database (NVD):

• National Vulnerability Database (CVE-2008-7251)
• National Vulnerability Database (CVE-2008-7252)
• National Vulnerability Database (CVE-2009-4605)

In each CVE candidate and NVD entry there is a common theme of information:

• The described issue is "in phpMyAdmin 2.11.x before 2.11.10"
• The list of Vulnerable software and versions does not include any of the latest phpMyAdmin versions installed by cPanel.

Each vulnerability, referenced by its CVE-ID, is directly addressed by the following phpMyAdmin announcements, as mentioned by cPanelKenF:

• phpMyAdmin - Security - PMASA-2010-1
• phpMyAdmin - Security - PMASA-2010-2
• phpMyAdmin - Security - PMASA-2010-3

In each phpMyAdmin announcement there is a common theme of information:

• Affected Versions: For 2.11.x: versions before 2.11.10 are affected.
• Unaffected Versions: 3.x releases are not affected.
• Solution: Upgrade to phpMyAdmin 3.0.0 or 2.11.10.

The latest versions of phpMyAdmin that are installed by cPanel are not affected by the documented vulnerabilities.