phpMyAdmin string contained in strange googlebot requests

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
jcalvert
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 242
Joined: Sun Feb 19, 2006 10:00 am

phpMyAdmin string contained in strange googlebot requests

Post by jcalvert » Fri Jan 22, 2016 11:33 pm

Hi,

I am noticing these in my access logs:

[21/Jan/2016:22:25:44 -0500] "GET /component/content/?task=new&sectionid=12&Itemid=66&phpMyAdmin=3C8tBZBXnf7TtJAxs7MSxFQWVMf HTTP/1.1" 200 13910 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Today from IP 66.249.65.184. Host is crawl-66-249-65-184.googlebot.com.

Any ideas why are these coming from Googlebot and why is "phpMyAdmin=3C8tBZBXnf7TtJAxs7MSxFQWVMf" appearing in the request?

thanks,
JC

ps> And why is bingbot trying to access this file? ...

/var/www/vhosts/XXXXX.com/logs/access_log:40.77.167.2 - - [22/Jan/2016:10:57:07 -0500] "GET /test/fcgi/test.html HTTP/1.1" 404 1298 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

% host 40.77.167.2
2.167.77.40.in-addr.arpa domain name pointer msnbot-40-77-167-2.search.msn.com.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: phpMyAdmin string contained in strange googlebot request

Post by Bernard T » Sat Jan 23, 2016 6:47 am

If you search the web you will find that PHPMyAdmin parameter is not rare.
Check your Google Webmaster Tools what links has GoogleBot gathered from your website, and if you want to block those and similar links.

Bots are nosy, and even use your (or someone else's) browser history (with your EULA permission) as an indexing link source...
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
jcalvert
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 242
Joined: Sun Feb 19, 2006 10:00 am

Re: phpMyAdmin string contained in strange googlebot request

Post by jcalvert » Sat Jan 23, 2016 10:34 am

If you search the web you will find that PHPMyAdmin parameter is not rare.
Well, what sense does it make in the context of that request being made to a Joomla site? Why would "phpMyAdmin=3C8tBZBXnf7TtJAxs7MSxFQWVMf" be tacked onto what looks like a Joomla command to create a new article? It makes no sense at all to me.

It looks like evidence of a bug, and I do recall in old versions of Joomla that the same string was erroneously appearing in places in the Joomla database. I still see evidence of it in the banners table after upgrade to Joomla 3.4.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: phpMyAdmin string contained in strange googlebot request

Post by Bernard T » Sat Jan 23, 2016 11:52 am

In current Joomla core, this parameter doesn't have any purpose at all.

If you think it's a bug somewhere in the code you use, go ahead and hunt it down.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
jcalvert
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 242
Joined: Sun Feb 19, 2006 10:00 am

Re: phpMyAdmin string contained in strange googlebot request

Post by jcalvert » Mon Jan 25, 2016 11:52 pm

I remember this from a long time ago (I've been doing Joomla for about 10 years). But I recall that there was an explanation for it that was not related to hacking. I think it was a bug maybe in phpMyAdmin related to character encoding. These "phpMyAdmin" strings were erroneously inserted. I'll see if I have any record of that.

Here is a related post I just found:
http://forum.joomla.org/viewtopic.php?f=267&t=287655
Last edited by jcalvert on Tue Jan 26, 2016 1:02 am, edited 1 time in total.

User avatar
jcalvert
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 242
Joined: Sun Feb 19, 2006 10:00 am

Re: phpMyAdmin string contained in strange googlebot request

Post by jcalvert » Tue Jan 26, 2016 1:01 am

I have found the problem, which is a bug related to an old version of phpMyAdmin running in the Plesk environment (but perhaps not limited to Plesk).

Here's the bug report: http://sourceforge.net/p/phpmyadmin/bugs/2701

The glitch occurred with older versions of phpMyAdmin when a database is exported to a .SQL file. Sometimes the HTML links in the data would be corrupted like this example:

Code: Select all

<a href="/?q=Tour">
becomes...

Code: Select all

<a href="/?q=Tour&phpMyAdmin=495c4873821at4e2fcff0">
This glitch may have affected anyone who used phpMyAdmin to export their Joomla database to a .SQL file, and then later imported from that .SQL file. One way this can happen is moving a site from one server to another. The corrupted links will persist in the database until they are manually removed, therefore many Joomla sites may have these; however, they are harmeless.

Current versions of phpMyAdmin should no longer have this bug. I have verified that my version, 4.1.12, has code in /phpMyAdmin/export.php that should eliminate the problem.

Now to answer my original question... why are googlebot and other bots trying to follow these links, as shown in the access logs? Answer: Because they exist in the Joomla site's content.

JC


Locked

Return to “Security in Joomla! 3.x”