Ugh. Nobody seems to know what this thing is, though it seems to be some kind of PHP worm roving the internet looking for phpMyAdmin exploits. It appears to have been around since 2005 and searches for an exploit in the phpMyAuth class of older phpMyAdmin distributions.

I’ve seen it knock one of my servers on three seperate occasions; this from the first:

[05/Jul/2007:20:26:42 -0500] "GET /mysql-admin/main.php HTTP/1.0" 404 280 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 404 285 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /main.php HTTP/1.0" 404 268 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 404 285 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 285 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 404 285 "-" "pmafind"
[05/Jul/2007:20:26:42 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 285 "-" "pmafind"

Interesting that it looks for specific versions of PHP. And odd that it announces itself by specifying a user-agent. (“Hi, worm here. Please let me in. Got a bit of infesting to do.”)

Deadmoo has a good, recent-ish post about it, though mostly Google just returns random posts and stats pages listing the pmafind referer. Where do these things come from?

One thought on “pmafind

  1. This script is designed by someone to look into websites where phpmyadmin and mysql was not configured properly.

    Some projects out there like XAMPP,defaults after installing to settings that leave the server open for attacks. Specifically phpmyadmin.

    When XAMPP installs mysql, it creates a root account with no password. And sets up phpmyadmin to access the mysql server through the root user, which does not need a password. When such access is available, the attacker can easily get into mysql and through it create a file that will give the attacker full shell access.

    I’ve tried it myself and it works.

    This is not a vulnerability or weaknesses on software, but through the ignorant use of software by users out there who have no idea what they are working on.

    XAMPP is a great project. The exploit is not tied to that project. It was provided as an example.

Leave a Reply

Your email address will not be published. Required fields are marked *