Rootkits and backdoors
Posted: 24. September 2008 11:07Over the course of the last six months I've had three different attacks on the xampp install, which lead to infection of different rootkits and backdoors.
All of them targeted phpMyAdmin, and were specifically made to infect XAMPP installations. One, for example, managed to modify one of the php files in phpMyAdmin, allowing someone to upload a file to my server _and_ execute it. Some weeks later I could see from the apache logs that a file "Kit.exe" had in fact been uploaded from some machine in Holland. Soon after the computer where infected with rootkits and remote desktop login software. The Kit.exe was cleverly made, hiding all tracks of itself, cleaning logs, modifying file dates etc. Luckily for me the user behind this was stupid and I actually caught her/him logged in from remote desktop while I was doing the same.
Point of this story: xampp is specifically and widely targeted for infections, and imho it's because of the default security settings. I think these should be changed so the system can not be used until proper security has been set.
Another point is of course that I should have learned my lesson the first time and made sure I'd cranked up security before putting the computer online
But I install xampp so often, mostly on offline computers, it's easy to forget. Then suddenly you need network and put the computer online over night...
All of them targeted phpMyAdmin, and were specifically made to infect XAMPP installations. One, for example, managed to modify one of the php files in phpMyAdmin, allowing someone to upload a file to my server _and_ execute it. Some weeks later I could see from the apache logs that a file "Kit.exe" had in fact been uploaded from some machine in Holland. Soon after the computer where infected with rootkits and remote desktop login software. The Kit.exe was cleverly made, hiding all tracks of itself, cleaning logs, modifying file dates etc. Luckily for me the user behind this was stupid and I actually caught her/him logged in from remote desktop while I was doing the same.
Point of this story: xampp is specifically and widely targeted for infections, and imho it's because of the default security settings. I think these should be changed so the system can not be used until proper security has been set.
Another point is of course that I should have learned my lesson the first time and made sure I'd cranked up security before putting the computer online
But I install xampp so often, mostly on offline computers, it's easy to forget. Then suddenly you need network and put the computer online over night...