In this release we have deployed an addition to the default user configurable NGINX configuration which will block vulnerability probes on Adminer. Adminer is a phpMyAdmin-like single file PHP script that you can install in your shop as an easy web-interface for MySQL. Yesterday, Hypernode co-founder and security researcher Willem de Groot discovered that an older version of this application is currently being abused in the wild to hack Magento shops.

We too have seen a platform-wide increase in probes against adminer URLs, mostly originating from a select amount of specific countries.

Because the frequency of probes is increasing we will now block requests to Adminer URLs if they originate from certain countries. This will not only make shops that use Adminer more secure, but it will also lessen unnecessary strain on the resources of the web-server if Adminer isn’t used.

There are of course valid uses of Adminer, so if you are developing a shop from one of the countries that is now blocked by default and need access you can edit the new NGINX rule in /data/web/nginx/server.protect_adminer to remove a country-code from the list or to add your IP as an exception.

$ cat /data/web/nginx/server.protect_adminer
set $adminer_suspicious 0;

if ($request_uri ~ .*.adminer.*) {
    set $adminer_suspicious "${adminer_suspicious}1";
}

if ($geoip_country_code ~ (CN|HK|BR|UA|RU) ) {
    set $adminer_suspicious "${adminer_suspicious}1";
}

if ($adminer_suspicious = 011) {
    # if adminer request is in the URL and the IP is from a country 
    # where we have detected large brute-force probes from in the past
    # we will deny the request for security. If you do have a legit use
    # for adminer from an IP from the countries in the if statement above
    # you can remove that country code from the list above.
    return 403;  
}

Note that if you are running a vulnerable version of Adminer it is recommend that you upgrade as this new configuration will block some probes, but not all.

Adminer versions 4.3.1 up to 4.6.2 and found all to be vulnerable. 
Adminer 4.6.3 was released in June, 2018 and appears safe.
- Willem de Groot

Changes will be deployed over the course of the coming week.