In a previous release we deployed server-side mitigation to block requests to Adminer URLs from various countries that were known to be the origin of ongoing brute force attacks. Initially we only blocked a conservative amount of countries to not impact any legitimate use of Adminer from the countries our customers generally operate from.

Additionally, the task of updating vulnerable applications in the web-shop remains the responsibility of the shop developer. Our web application firewall (WAF) is only supposed to serve as a first line of defence: it is still important to patch and upgrade any vulnerable code because the attack patterns might change.

In the past week we have now also seen that this vulnerability is actively being abused in the wild from western country codes like SE, NL and US via Tor IPs. Notably, between 2019-02-17 and 2019-02-20 there was a large amount of probes that targeted vulnerable versions of Adminer in Magento shops and attempted to make them connect to an allegedly rogue MySQL server that was tcp tunneled via ngrok to make it upload local files to obtain credentials.

In this release we will deploy a new NGINX configuration that will overwrite the previously placed mitigation if that has not since been edited by the user. The new NGINX rule will block any request containing adminer in the URL.

if ($request_uri ~ .*.adminer.*) {
    # if adminer request is in the URL we will deny the request for
    # security. If you do have a legit use for adminer you can
    # change this rule to exclude that IP.
    return 403;
}

We have attempted to detect any legitimate use of Adminer based on recent logs and have whitelisted non-suspicious IPs to prevent real users from being locked out. If we did that on your node, you will have been mailed individually by our support with the details.

If you wish to exclude your own IP from this mitigation, you can edit the relevant config file like:

vim /data/web/nginx/server.protect_adminer

And configure an IP to be excluded from the block like so:


# Block all access to adminer except for the whitelisted IP
set $adminer_suspicious 0;

if ($request_uri ~ .*.adminer.*) {
    set $adminer_suspicious "${adminer_suspicious}1";
}

if ($remote_addr != 1.2.3.4) {
    set $adminer_suspicious "${adminer_suspicious}1";
}

if ($adminer_suspicious = 011) {
    return 403;  
}

And replace 1.2.3.4 with your IP.