{"id":11446,"date":"2026-03-19T04:03:36","date_gmt":"2026-03-19T04:03:36","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/19\/32808\/"},"modified":"2026-03-19T04:03:36","modified_gmt":"2026-03-19T04:03:36","slug":"32808","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/19\/32808\/","title":{"rendered":"Scans for &#8220;adminer&#8221;, (Wed, Mar 18th)"},"content":{"rendered":"\n<div>Scans for &#8220;adminer&#8221;, (Wed, Mar 18th)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A very popular target of attackers scanning our honeypots is &#8220;phpmyadmin&#8221;. phpMyAdmin is a script first released in the late 90s, before many security concepts had\u00a0been discovered. It&#8217;s rich history of vulnerabilities made it a favorite target. Its alternative, &#8220;adminer&#8221;, began appearing about a decade later (https:\/\/www.adminer.org). One of its main &#8220;selling&#8221; points was simplicity. Adminer is just a single PHP file. It requires no configuration. Copy it to your server, and you are ready to go. &#8220;adminer&#8221; has a much better security record\u00a0and claims to prioritize security in its development.<\/p>\n<p>So how does it deal with configurations for database connection parameters? The simple answer: It does not. Instead of using its own authentication or access control, Adminer simply asks the user to enter the SQL username and password they want\u00a0to use to connect to the database. This is certainly not a terrible idea. Let the database deal with it! SQL databases have\u00a0robust access controls, so there is no need to reinvent the wheel. Not having to store database credentials in a secrets file also removes several security headaches.<\/p>\n<p>But&#8230; these credentials are, of course, still subject to brute-forcing. Adminer thought about that, and only allows 30 login attempts in 30 minutes. One may argue that this is &#8220;generous&#8221;, but they thought about it. The main weakness likely represents users using weak passwords\u00a0and relying on SQL authentication; there is no easy way to implement two-factor authentication. Adminer mitigates some of these issues with security plugins that implement OTP protection and other security features.<\/p>\n<p>This likely explains why attackers are scanning for it, and they have been scanning quite aggressively lately:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"Graph of adminer scan volume\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/Screenshot%25202026-03-18%2520at%25208_56_32%25E2%2580%25AFAM.png?ssl=1\" style=\"width: 600px; height: 335px;\"><\/p>\n<p>The increase in the number of URLs scanned is noteworthy. In phpMyAdmin scans, attackers often attempt to find obfuscated URLs used to host phpMyAdmin,\u00a0such as &#8220;\/pma\/&#8221;. For Adminer, attackers are scanning for different versions of the file. The filename released by Adminer includes the version number and the language or database type. For example, &#8220;adminer-5.4.2-mysql-en.php&#8221; is the English version for MySQL.\u00a0<\/p>\n<p>In short: Do not forget to read the security advice provided by Adminer, and you probably do not want to open Adminer to the internet.<\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32808\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Scans for &#8220;adminer&#8221;, (Wed, Mar 18th) A very popular target of attackers scanning our honeypots is &#8220;phpmyadmin&#8221;. phpMyAdmin is a script first released in the late 90s, before many security concepts had\u00a0been discovered. It&#8217;s rich history of vulnerabilities made it a favorite target. Its alternative, &#8220;adminer&#8221;, began appearing about a decade later (https:\/\/www.adminer.org). One of [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-11446","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11446"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11446"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11446\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}