Sucuri, a cyber security company recently acquired by GoDaddy, has detected a massive online scanning campaign that’s searching for websites that use the Adminer database management script.
Adminer is a tool similar to phpMyAdmin, but smaller in size and with fewer features, a reason why it became popular among some webmaster circles.
Adminer has been around for well over a decade, and because of its light size has been deployed on many servers and embedded in various plugins for popular CMS platforms, such as WordPress, Drupal, Joomla, Magento, and others.
Due to the tool’s purpose, once someone takes over an Adminer account, they have the ability to execute SQL queries on the underlying server. A gifted hacker can easily put together SQL queries that allow him to take over servers, and indirectly all the sites that run on it.
Ongoing Adminer scan operation discovered
Sucuri, a company that runs one of the most advanced Web Application Firewall (WAF) on the market, says it found the inner cogs of an Adminer-scanning infrastructure on a compromised website they were called in to investigate.
Sucuri researcher Denis Sinegubko says he found a scanning system hidden inside a legitimate file named “at.php” that would query a remote server for a list of 10,000 domains arranged in alphabetical order.
The scanner would then connect to those domains and look for 14 files with names typical to one or another version of the Adminer script/plugins.
Sinegubko says that once a site is identified as running Adminer, the scanner would save the site and the working URL to a file simply named “c”. Once the scanner goes over the 10K list, it requests another batch of domains.
We can only estimate that the attacker is either using one of the past Adminer vulnerabilities to gain access to the database management interface or is using brute-force attacks to break his way into the management panel of Adminer instances running with default or easy-to-guess passwords.
Adminer, just like phpMyAdmin, SQL Buddy, and other similar tools, does not have a brute-force protection system. Webmasters using web-based GUIs for managing databases should consider switching to a CLI interface or install a WAF product. If they can’t afford a commercial product, free alternatives like ModSecurity and NinjaFirewall also exist.