anyway to block phpmyadmin from accessing the db server if its installed manually on an account?

ethical

Well-Known Member
Apr 7, 2009
91
5
58
I was wondering if there is anyway to prevent phpmyadmin from either being installed on a users account, or if not prevent it from being able to access the db server if it is installed?

perhaps using modsecurity to block something or the configserver exploit scanner to delete a crucial file automatically?

any thoughts?

Thanks
John
 

PenguinInternet

Well-Known Member
PartnerNOC
Jun 20, 2007
179
13
68
Cardiff, UK
cPanel Access Level
DataCenter Provider
Twitter
Any script that is installed onto a users account will be able to access the database server, providing it has a username & password to do so, therefore just trying to limit this to phpMyAdmin will not have much effect anyway. Do you have a specific reason for wanting to do this? Putting your requirements in context may help with a solution.
 

ethical

Well-Known Member
Apr 7, 2009
91
5
58
thanks penguin, yea right i see, well just trying to lock down the server more and I noticed that phpmyadmin was installed by a hacker onto a website and its not clear if they knew a DB passord or not, but if they did they could have accessed it so i was thinking (since phpmyadmin) is pretty common, i wondered if there was a way to lock that down so it could only be used from the cpanel?
 

PenguinInternet

Well-Known Member
PartnerNOC
Jun 20, 2007
179
13
68
Cardiff, UK
cPanel Access Level
DataCenter Provider
Twitter
As mentioned, as that would not prevent access to the database anyway, I wouldn't really look to pursue that as you'll probably end up causing more issues that you fix if it interferes with the central installation as well. Ideally you want to concentrate on looking at how the site was hacked in the first place to allow them to upload a copy of phpMyAdmin.

If they had that level of access to the site, phpMyAdmin is not then actually providing any additional security issues - they already have the facility to dump a database if they read an existing site config file giving them the MySQL login details and can access the database. Depending on the configuration of your server, this may be the least of your issues if you've not locked it down as there are plenty of other things that they can do once they have access to a site...