Should Adminer be flagged as malware?

Question

Should Adminer be flagged as malware?

Closed this issue 8 years ago · 7 comments

Technically, Adminer is not malware of course. However, it appears that Adminer is a commonly used tool by Magento exploiters to ensure future database access. General attack flow:

Hacker gets in through SQL injection, Shoplift, Magmi, Webforms upload, brute forcing weak admin password.
Hacker fetches database password from local.xml
Hacker drops backdoors to ensure future access. Backdoors are webshells, blanket eval or upload forms, or database webinterfaces (Adminer).

On our platform, we found roughly 100 Adminer installs. A sample validation revealed that most of them were not put there by the site owner.

What to do?

Answer 1 · 2017-01-29T15:29:09.000Z

Good question, i would flag it as 3rd party software in a kind of notice or something with a path to it or something else. Malware is a bit to bad.

Answer 2 · 2017-01-29T15:51:47.000Z

Hard to imagine legitimate uses of it. Might as well flag it as malware - if someone is using it on purpose they should know that and ignore what the malware scanner tells them in that case - or maybe you give them a configurable option to whitelist their adminer in a specific location in order for it not to come up in the scan report.

Answer 3 · 2017-01-31T21:25:36.000Z

Also sqlyogtunnel, i met it couple times.

Answer 4 · 2017-01-31T23:33:20.000Z

In my opinion, adminer does not belong anywhere near your store, at least not in production. I've seen way too many cases where adminer was amongst malicious code. My current cases also. I agree that's it's not intended to be malware but given it's strong relation, i think at least flagging it will do more good than bad. People who use it intentionally, are aware of it and will probably refer to the docs if needed. So my suggestion is to be clear on that.
I have to document it anyway so i could provide some concept texts if the decision is to flag it.

As for ignoring, I haven't found a nice solution to do that in Yara but Yara's tagging / meta could be helpful for the yara part. You can select / deselect rules by it's tags as parameters and optionally show the metadata. This way they could opt-in/out adminer. I use these tags to batch rules for certain scenario's, pretty helpful. I think ignoring would be possible with the abstraction layer?

Answer 5 · 2017-02-01T16:24:07.000Z

Seen Adminer on a number of sites that I've looked at and never been there legitimately as far as the developer is aware. I would +1 to keeping it in the scanner as being flagged to the user.

Answer 6 · 2017-02-07T16:59:17.000Z

Corresponding Twitter poll:

60% yes
30% yes, optionally
10% no

Answer 7 · 2017-02-08T10:11:41.000Z

I've added the Adminer signature as "adminer_possible_backdoor" in #59